Version 18 - History - GTI9300PARAM - Replicant

GTI9300PARAM » History » Version 18

Denis 'GNUtoo' Carikli, 02/01/2022 04:22 AM

-Denis 'GNUtoo'  Carikli
+{{toc}}
-Denis 'GNUtoo'  Carikli
+h1. GTI9300PARAM
-Denis 'GNUtoo'  Carikli
+h2. Structure
-Denis 'GNUtoo'  Carikli
+| Start (included) | End (included) | size       | Content                                                  |
 | 0x000000         | 0x0de800 - 1   | 890 KiB    | [[GTI9300PARAM#Tarball|Tarball]]                         |
 | around 0x000228  | ?              |            | [[GTI9300PARAM#Kernel command line|Kernel command line]] |
 | 0x700204         | 0x700204       | 1 byte     | [[GTI9300PARAM#USB switch|USB switch]]
                                                    @0x00@: MODEM USB routed to the USB connector
                                                    @0x01@: SOC USB routed to the USB connector              |
 | 0x700208         | 0x700208       | 1 byte     | [[GTI9300PARAM#Modem debug level|Modem debug level]]
                                                    @LO@: Modem debug level set to @LOW@
                                                    @MI@: Modem debug level set to @MEDIUM@
                                                    @HI@: Modem debug level set to @HIGH@                    |
 | 0x7FFC00         | 0x7FFC0F       | 16 bytes   | [[GTI9300PARAM#Modem debug level|checksum]]              |
 | 0x7ffc10         | 0x7fffff       | 1008 bytes | MDM settings ?                                           |
 Denis 'GNUtoo'  Carikli
-Denis 'GNUtoo'  Carikli
+Size of the partition: 0x800000 (8MiB)
 Denis 'GNUtoo'  Carikli
-Denis 'GNUtoo'  Carikli
+h2. Tarball
-Denis 'GNUtoo'  Carikli
+You can dump the PARAM partition for the Galaxy SIII (GT-I9300) like that:
 <pre>
 adb pull /dev/block/platform/dw_mmc/by-name/PARAM PARAM.img
 </pre>
 That file at first looks like a tar archive.
 <pre>
 $ file PARAM.img
 PARAM.img: POSIX tar archive (GNU)
 </pre>
 And it indeed does contain a tarball:
 <pre>
 $ tar tvf PARAM.img
 -rw-r--r-- se.infra/se.infra 3624 2013-11-28 13:33 adv-env.img
 -rw-r--r-- se.infra/se.infra 42023 2013-11-28 13:33 ani_upload_1_kernel_panic.jpg
 -rw-r--r-- se.infra/se.infra 39255 2013-11-28 13:33 ani_upload_2_cp_crash.jpg
 -rw-r--r-- se.infra/se.infra 47443 2013-11-28 13:33 ani_upload_3_forced_upload.jpg
 -rw-r--r-- se.infra/se.infra 10810 2013-11-28 13:33 ani_upload_4_hardware_reset.jpg
 -rw-r--r-- se.infra/se.infra 11586 2013-11-28 13:33 ani_upload_4_smpl.jpg
 -rw-r--r-- se.infra/se.infra 54151 2013-11-28 13:33 ani_upload_4_unknown_reset.jpg
 -rw-r--r-- se.infra/se.infra 11495 2013-11-28 13:33 ani_upload_4_watchdog_reset.jpg
 -rw-r--r-- se.infra/se.infra 12276 2013-11-28 13:33 ani_upload_4_wtsr.jpg
 -rw-r--r-- se.infra/se.infra  9703 2013-11-28 13:33 ani_upload_4_wtsr_smpl.jpg
 -rw-r--r-- se.infra/se.infra 12711 2013-11-28 13:33 ani_upload_5_user_fault.jpg
 -rw-r--r-- se.infra/se.infra 19098 2013-11-28 13:33 ani_upload_6_hsic_disconnected.jpg
 -rw-r--r-- se.infra/se.infra 84123 2013-11-28 13:33 download_error.jpg
 -rw-r--r-- se.infra/se.infra 73061 2013-11-28 13:33 download.jpg
 -rw-r--r-- se.infra/se.infra 64410 2013-11-28 13:33 logo.jpg
 -rw-r--r-- se.infra/se.infra 37205 2013-11-28 13:33 lpm.jpg
 -rw-r--r-- se.infra/se.infra 36572 2013-11-28 13:33 lpm_wireless.jpg
 -rw-r--r-- se.infra/se.infra 91511 2013-11-28 13:33 secure_error.jpg
 -rwxr-xr-x se.infra/se.infra  5851 2013-11-28 13:33 sud_0.jpg
 -rwxr-xr-x se.infra/se.infra  2713 2013-11-28 13:33 sud_1.jpg
 -rwxr-xr-x se.infra/se.infra  5634 2013-11-28 13:33 sud_2.jpg
 -rwxr-xr-x se.infra/se.infra  6292 2013-11-28 13:33 sud_3.jpg
 -rwxr-xr-x se.infra/se.infra  4604 2013-11-28 13:33 sud_4.jpg
 -rwxr-xr-x se.infra/se.infra  5706 2013-11-28 13:33 sud_5.jpg
 -rwxr-xr-x se.infra/se.infra  6792 2013-11-28 13:33 sud_6.jpg
 -rwxr-xr-x se.infra/se.infra  3885 2013-11-28 13:33 sud_7.jpg
 -rwxr-xr-x se.infra/se.infra  6826 2013-11-28 13:33 sud_8.jpg
 -rwxr-xr-x se.infra/se.infra  6528 2013-11-28 13:33 sud_9.jpg
 -rw-r--r-- se.infra/se.infra 168616 2013-11-28 13:33 warning.jpg
 </pre>
 The size of the PARAM.img file is exactly 8MiB:
 <pre>
-Denis 'GNUtoo'  Carikli
+$ ls -lah PARAM.img
-Denis 'GNUtoo'  Carikli
+[...] 8.0M [...] PARAM.img
-Denis 'GNUtoo'  Carikli
+$ ls -la PARAM.img
-Denis 'GNUtoo'  Carikli
+[...] 8388608 [...] PARAM.img
 </pre>
 And we can get the size of the tarball with --totals:
 <pre>
 $ man tar
   [...]
   --totals[=SIGNAL]
          Print  total bytes after processing the archive. [...]
 </pre>
 For example:
 <pre>
-Denis 'GNUtoo'  Carikli
+$ tar --totals -tf PARAM.img
-Denis 'GNUtoo'  Carikli
+adv-env.img
 [many files]
 warning.jpg
 Total bytes read: 911360 (890KiB, 286MiB/s)
 </pre>
-Denis 'GNUtoo'  Carikli
+So here the tarball terminates way before the end of the PARAM.img file.
 Denis 'GNUtoo'  Carikli
 is 0xde800:
 <pre>
 $ python
 [...]
 >>> hex(911360)
 '0xde800'
 </pre>
 But we still have things after the tarball:
 <pre>
 $ hexdump -C PARAM.img
 dd4a0  05 00 14 00 50 07 ff d9  00 00 00 00 00 00 00 00  |....P...........|
 dd4b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00700000  03 00 fe ca 00 01 00 00  00 00 00 00 00 00 00 00  |................|
 00700010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00700200  00 00 00 00 03 00 00 00  4c 4f 00 00 00 00 00 00  |........LO......|
 00700210  00 00 00 00 03 00 00 00  01 00 00 00 00 00 00 00  |................|
 00700220  00 00 00 00 00 00 00 00  63 6f 6e 73 6f 6c 65 3d  |........console=|
 00700230  72 61 6d 20 6c 6f 67 6c  65 76 65 6c 3d 34 00 00  |ram loglevel=4..|
 00700240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 e20  00 00 00 00 00 00 00 00  ff ff ff ff ff ef 7f ff  |................|
 e30  ff ff f7 ff ff ff f7 ff  ff fe ff ff ff ff 7f ff  |................|
 e40  fb ef ff ff ff fb ff df  ff ff ff ff ff ff ff ff  |................|
 e50  df bf ff ff 7f ef f7 ff  f7 ff ff ff ff fe ff ff  |................|
 e60  ff ff ff ff ef fb ff ef  ff fb ff ff fd ff f7 ef  |................|
 e70  ff ff ff ff f5 ff ff ff  ff ff ff ff ff ff ff ff  |................|
 e80  ff ff ff fe ff ef ff ff  ff bf fd ff ff ff ff ff  |................|
 e90  ff ff ff ff ff ff f7 fb  ff ff ff eb ff ff ff eb  |................|
 ea0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff fb  |................|
 eb0  ff ff ff ff ff ff ff ff  ff ff ff df ff ff ff ff  |................|
 ec0  ff ff ff ff ff ff f7 ff  ff ff ff ff ff ff ff ff  |................|
 ed0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff fb  |................|
 ee0  df ff ff ff ff ff ff ff  ff ff ff ff ff ff d7 ff  |................|
 ef0  ff ff ff af ff ff ff fe  ff ff ff ff ff ff ff ff  |................|
 f00  ff ef ff ff ff 7f ff ff  ff df ff ff f7 ff ff ff  |................|
 f10  ff ff ff ff ff ff ff ff  ff ff ff ef ff ff f7 ff  |................|
 f20  ff ff ff ff ff ff ff ff  ff fe ef ff ff ef fb df  |................|
 f30  ff ff ff ff ff fb ff ff  ff ff ff ff ff ff ff ff  |................|
 f40  ff ff f5 ff ff ff ff fb  ff ff ff ff ff ff ff ff  |................|
 f50  fb ff ff fb fd ff ff ff  ff ff ff ff ff ff ff ff  |................|
 f60  f7 ff ff ef f7 ff ff ef  ff ff ff ff ff 9e ff fd  |................|
 f70  ff ff ff ff fb ff ff de  f3 fb ff ff ff ef df ff  |................|
 f80  ff ff ff ff ff fb ff bf  ff ff ff ff ff ff ff fd  |................|
 f90  ff fe f7 fe ff eb ff ff  ff fb ff ff df ff ff ff  |................|
 fa0  df ff ff ff ff ff ff ff  ff ff fb ff ff ff ff fb  |................|
 fb0  ff ff ff df ff ff ff ff  fe fe fe ff ff f7 ff ff  |................|
 fc0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff fb  |................|
 fd0  fd ff ff ff ff fd ff ff  ff ff ff ff fe ff ff ff  |................|
 fe0  ff ff df ff ff ff ff fb  ff ff ff ff ff ff ff ff  |................|
 ff0  ff f7 df ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
 00701000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 ffc00  d4 ad 55 ff 52 e9 ed 4c  f8 d1 9c 08 79 b6 e9 6c  |..U.R..L....y..l|
 ffc10  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00800000
 </pre>
 Questions:
 * Can we ignore what is after the tarball and grow it to 8MiB?
-Denis 'GNUtoo'  Carikli
+* Does what's after contains encrypted data for the bootloader?
 Denis 'GNUtoo'  Carikli
-Denis 'GNUtoo'  Carikli
+h3. adv_env.img
 Denis 'GNUtoo'  Carikli
 Here's the content of the adv-env.img file:
 <pre>
-Denis 'GNUtoo'  Carikli
+$ hexdump -C adv-env.img
-Denis 'GNUtoo'  Carikli
+00000000  03 00 fe ca 00 01 00 00  00 00 00 00 00 00 00 00  |................|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00000200  04 00 00 00 01 00 00 00  4c 4f 00 00 00 00 00 00  |........LO......|
 00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000220  00 00 00 00 00 00 00 00  63 6f 6e 73 6f 6c 65 3d  |........console=|
 00000230  72 61 6d 20 6c 6f 67 6c  65 76 65 6c 3d 34 00 00  |ram loglevel=4..|
 00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 e20  00 00 00 00 00 00 00 00                           |........|
 e28
 </pre>
 Questions:
 * Why are the kernel parameters repeated again after the end of the tarball?
 * Where are the updated kernel parameters stored?
-Denis 'GNUtoo'  Carikli
+* Are the default and in-use kernel parameters stored at different location?
 Denis 'GNUtoo'  Carikli
-Denis 'GNUtoo'  Carikli
+h2. Kernel command line
 Denis 'GNUtoo'  Carikli
 *Default kernel command line*: @console=ram loglevel=4@
-Denis 'GNUtoo'  Carikli
+Test:
-Denis 'GNUtoo'  Carikli
+* change to @console=ram loglevel=8@ through the bootloader setenv command
-Denis 'GNUtoo'  Carikli
+* run saveenv
-Denis 'GNUtoo'  Carikli
+* reboot and validate that it's really changed with printenv
 * observe the results on the filesystem
 See [[MidasBootloader]] for more details on how to change the command line parameters.
 After changing the environment variable, we still have loglevel=4 in the adv-env.img file that is in the tarball:
 adv-env.img
 <pre>
-Denis 'GNUtoo'  Carikli
+$ hexdump -C adv-env.img
-Denis 'GNUtoo'  Carikli
+00000000  03 00 fe ca 00 01 00 00  00 00 00 00 00 00 00 00  |................|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00000200  04 00 00 00 01 00 00 00  4c 4f 00 00 00 00 00 00  |........LO......|
 00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000220  00 00 00 00 00 00 00 00  63 6f 6e 73 6f 6c 65 3d  |........console=|
 00000230  72 61 6d 20 6c 6f 67 6c  65 76 65 6c 3d 34 00 00  |ram loglevel=4..|
 00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 e20  00 00 00 00 00 00 00 00                           |........|
 e28
 </pre>
 So these must be the default parameters.
 And the actual kernel parameters were instead saved after the tarball:
 <pre>
 $ hexdump PARAM.img
+*
 00700200  00 00 00 00 03 00 00 00  4c 4f 00 00 00 00 00 00  |........LO......|
 00700210  00 00 00 00 03 00 00 00  01 00 00 00 00 00 00 00  |................|
 00700220  00 00 00 00 00 00 00 00  63 6f 6e 73 6f 6c 65 3d  |........console=|
 00700230  72 61 6d 20 6c 6f 67 6c  65 76 65 6c 3d 38 00 00  |ram loglevel=8..|
 00700240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 </pre>
-Denis 'GNUtoo'  Carikli
+*Results:*
-Denis 'GNUtoo'  Carikli
+* Since the s-boot 4.0 bootloader on several Exynos 4412 devices (GT-I9300, GT-I9305, GT-N7100, GT-N7105) doesn't take into account the boot.img kenrel parameters, we can then try to change them by editing the PARAM.img after the tarball.
 * There is valuable info after the tarball => don't make the tarball grow too much.
 Denis 'GNUtoo'  Carikli
 h2. USB switch
 On a GT-I9300, if I set the address @0x00700204@ to @00@, it switch to the USB to the modem's USB, and @Bus 002 Device 095: ID 1519:0020 Comneon HSIC Device@ appears when connecting the GT-I9300 to a computer.
 When I set it back to @01@, I can have ADB again.
-Denis 'GNUtoo'  Carikli
+Here's the diff:
 <pre>
-Denis 'GNUtoo'  Carikli
+$ vbindiff PARAM.img PARAM.img.new
 PARAM.img
-Denis 'GNUtoo'  Carikli
+0204: 00 00 00 00 4C 4F 00 00  00 00 00 00 00 00 00 00  ....LO.. ........
 0214: 03 00 00 00 01 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0224: 00 00 00 00 63 6F 6E 73  6F 6C 65 3D 72 61 6D 20  ....cons ole=ram
 0234: 6C 6F 67 6C 65 76 65 6C  3D 38 00 00 00 00 00 00  loglevel =8......
 0244: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0254: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0264: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0274: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0284: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0294: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02A4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02B4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02C4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02D4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02E4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02F4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 PARAM.img.new
 0204: 01 00 00 00 4C 4F 00 00  00 00 00 00 00 00 00 00  ....LO.. ........
 0214: 03 00 00 00 01 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0224: 00 00 00 00 63 6F 6E 73  6F 6C 65 3D 72 61 6D 20  ....cons ole=ram
 0234: 6C 6F 67 6C 65 76 65 6C  3D 38 00 00 00 00 00 00  loglevel =8......
 0244: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0254: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0264: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0274: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0284: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0294: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02A4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02B4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02C4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02D4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02E4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02F4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 ┌──────────────────────────────────────────────────────────────────────────────┐
 │Arrow keys move  F find      RET next difference  ESC quit  T move top        │
 │C ASCII/EBCDIC   E edit file   G goto position      Q quit  B move bottom     │
 └──────────────────────────────────────────────────────────────────────────────┘
 </pre>
-Denis 'GNUtoo'  Carikli
+At the next boot the s-boot bootloader will then configure the USB switch to connect to the modem USB.
 You can also get that behavior with the stock OS if you go to the phone application and enter @*#7284#@ and set @USB@ to
 @MODEM@ and then click on the @SAVE and RESET@ button. It will then reboot the phone automatically.
 Note that in both case (when doing it manually with Replicant or through the stock OS):
 * ADB will not work anymore in Replicant, the recovery and the stock OS
 * Heimdall may not work anymore
 so you need a plan to be able to recovery from it.
 If you run the stock OS, you can't count on recoveries as it tend to replace them the recoveries with its own recovery, but you can still use @*#7284#@ to change @USB@ back to @PDA@ instead of @MODEM@.
 With Replicant, you can enable the terminal, adb and root for adb and applications in the developers settings, and once that is done, through the terminal application you can get root with @su@ and then type the following command to enable adb again:
 <pre>
 echo PDA > /sys/devices/virtual/sec/switch/usb_sel
 </pre>
 as this command is temporary (until the next reboot), you'll have to edit again the @PARAM@ partition and copy the modified @PARAM@ image to the @PARAM@ partition with @dd@.
 Denis 'GNUtoo'  Carikli
 h2. Modem debug level
 In the stock OS, if we go to the phone application and dial @*#9900#@ and change the @Debug Level Enabled@ (@LOW@ @MEDIUM@ and @HIGH@ are available), the PARAM partition will be modified (and then the phone will be rebooted):
 Here we switched the setting from @LOW@ to @MEDIUM@, and it produces a difference at @0x700208@:
 <pre>
 $ vbindiff low-2/PARAM.img medium-2/PARAM.img
 low-2/PARAM.img
 0208: 4C 4F 00 00 00 00 00 00  00 00 00 00 03 00 00 00  LO...... ........
 0218: 01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0228: 63 6F 6E 73 6F 6C 65 3D  72 61 6D 20 6C 6F 67 6C  console= ram logl
 0238: 65 76 65 6C 3D 38 00 00  00 00 00 00 00 00 00 00  evel=8.. ........
 0248: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0258: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0268: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0278: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0288: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0298: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02A8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02B8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02C8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02D8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02E8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02F8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 medium-2/PARAM.img
 0208: 4D 49 00 00 00 00 00 00  00 00 00 00 03 00 00 00  MI...... ........
 0218: 01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0228: 63 6F 6E 73 6F 6C 65 3D  72 61 6D 20 6C 6F 67 6C  console= ram logl
 0238: 65 76 65 6C 3D 38 00 00  00 00 00 00 00 00 00 00  evel=8.. ........
 0248: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0258: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0268: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0278: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0288: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0298: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02A8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02B8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02C8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02D8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02E8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02F8: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 ┌──────────────────────────────────────────────────────────────────────────────┐
 │Arrow keys move  F find      RET next difference  ESC quit  T move top        │
 │C ASCII/EBCDIC   E edit file   G goto position      Q quit  B move bottom     │
 └──────────────────────────────────────────────────────────────────────────────┘
 </pre>
 And here's what happens when switching from @MEDIUM@ to @HIGH@:
 <pre>
 $ vbindiff medium-2/PARAM.img high-1/PARAM.img
 medium-2/PARAM.img
 0200: 00 00 00 00 01 00 00 00  4D 49 00 00 00 00 00 00  ........ MI......
 0210: 00 00 00 00 03 00 00 00  01 00 00 00 00 00 00 00  ........ ........
 0220: 00 00 00 00 00 00 00 00  63 6F 6E 73 6F 6C 65 3D  ........ console=
 0230: 72 61 6D 20 6C 6F 67 6C  65 76 65 6C 3D 38 00 00  ram logl evel=8..
 0240: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0250: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0260: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0270: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0280: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0290: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02A0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02B0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02C0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02D0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02E0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02F0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 high-1/PARAM.img
 0200: 00 00 00 00 01 00 00 00  48 49 00 00 00 00 00 00  ........ HI......
 0210: 00 00 00 00 03 00 00 00  01 00 00 00 00 00 00 00  ........ ........
 0220: 00 00 00 00 00 00 00 00  63 6F 6E 73 6F 6C 65 3D  ........ console=
 0230: 72 61 6D 20 6C 6F 67 6C  65 76 65 6C 3D 38 00 00  ram logl evel=8..
 0240: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0250: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0260: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0270: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0280: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0290: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02A0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02B0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02C0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02D0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02E0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02F0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 ┌──────────────────────────────────────────────────────────────────────────────┐
 │Arrow keys move  F find      RET next difference  ESC quit  T move top        │
 │C ASCII/EBCDIC   E edit file   G goto position      Q quit  B move bottom     │
 └──────────────────────────────────────────────────────────────────────────────┘
 </pre>
 Unfortunately in both cases, it also changes what appears to be a checksum:
 <pre>
 $ vbindiff medium-2/PARAM.img high-1/PARAM.img
 medium-2/PARAM.img
 F FC00: 0D 4D 03 C0 FD 5C A8 D1  2B 14 25 76 03 51 C5 27  .M...\.. +.%v.Q.'
 F FC10: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC20: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC30: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC40: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC50: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC60: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC70: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC80: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC90: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCA0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCB0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCC0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCD0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCE0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCF0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 high-1/PARAM.img
 F FC00: 67 39 08 85 9C 4A FE B8  65 47 9C C8 BB 95 DF B7  g9...J.. eG......
 F FC10: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC20: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC30: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC40: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC50: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC60: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC70: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC80: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FC90: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCA0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCB0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCC0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCD0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCE0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 F FCF0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 ┌──────────────────────────────────────────────────────────────────────────────┐
 │Arrow keys move  F find      RET next difference  ESC quit  T move top        │
 │C ASCII/EBCDIC   E edit file   G goto position      Q quit  B move bottom     │
 └──────────────────────────────────────────────────────────────────────────────┘
 </pre>
 To capture that I had to :
 * Set the desired setting (through the phone application after dialing @$*#9900#@ and let it reboot
 * then shut down the phone
 * Then boot into the download mode
 * then flash a Replicant recovery with root to @BOOT@ (do not flash it to RECOVERY)
 * Then to dump the PARAM partition
 * Then to reboot to the bootloader
 * Then to flash back the stock OS BOOT
 If for some reason I rebooted to the RECOVERY partition, the setting would be changed back to @LOW@ (this was verified by dialing @*#9900#@ and then looking at the setting value without changing it).
 Denis 'GNUtoo'  Carikli
-Denis 'GNUtoo'  Carikli
+I then tried to workaround the checksum issue by just reusing as-is the PARAM with @LOW@/@MEDIUM@/@HIGH@ and potentially modifying them on top to switch the modem routing to the SOC or the modem USB (as that doesn't affect the checksum).
 That worked fine with the stock OS, we can see the settings being changed (from @LOW@ to @HIGH@ for instance) after dialing @*#9900#@, and by reflashing a Replicant recovery with root to the BOOT partition (and reflashing the stock BOOT after that), I could verify that PARAM wasn't modified again after that and that the changes were really taken into account.
 But after installing Replicant (still by using the recovery in the BOOT partition and by verifying that the @PARAM@ partition hasn't been modified) once we boot in Replicant we don't have any messages anymore through xgoldmon, even with the USB routing to the modem USB and the debug to @HIGH@. With LineageOS (so with the nonfree samsung RIL library instead of the free software implementation), debug messages didn't appear either on /dev/ttyACM1 with xgoldmon.
 What enables that debug function could also be in userspace:
 * In the stock OS, some applications can send samsung-ipc commands[1] (and that even contains a security issue), so maybe it works through that. Though we can see what is sent to the modem by looking at what goes through the kernel.
 * There might also be code in userspace to parse the PARAM partition, including how to change the MDM settings (which requires encrypting / decrypting the data at the end of the PARAM partition), so it might also be a way that the data is retrieved from param.
 fn1. https://roberto.greyhats.it/2016/05/samsung-access-rild.html
 fn2. [[AcademicPapersAndPresentations#Forensics-acquisition-Analysis-and-circumvention-of-samsung-secure-boot-enforced-common-criteria-mode|Forensics acquisition — Analysis and circumvention of samsung secure boot enforced common criteria mode]]
-Denis 'GNUtoo'  Carikli
+h2. See also
 * The [[AcademicPapersAndPresentations#Forensics-acquisition-Analysis-and-circumvention-of-samsung-secure-boot-enforced-common-criteria-mode|Forensics acquisition - Analysis and circumvention of samsung secure boot enforced common criteria mode]] paper has some information about the PARAM partition but it's mostly interested in MDM settings

Project

General

Profile

Replicant

GTI9300PARAM » History » Version 18