Version 6 - History - GTI9300PARAM - Replicant

GTI9300PARAM » History » Version 6

Denis 'GNUtoo' Carikli, 01/31/2022 09:18 AM
Add toc

-Denis 'GNUtoo'  Carikli
+{{toc}}
-Denis 'GNUtoo'  Carikli
+h1. GTI9300PARAM
 You can dump the PARAM partition for the Galaxy SIII (GT-I9300) like that:
 <pre>
 adb pull /dev/block/platform/dw_mmc/by-name/PARAM PARAM.img
 </pre>
 That file at first looks like a tar archive.
 <pre>
 $ file PARAM.img
 PARAM.img: POSIX tar archive (GNU)
 </pre>
 And it indeed does contain a tarball:
 <pre>
 $ tar tvf PARAM.img
 -rw-r--r-- se.infra/se.infra 3624 2013-11-28 13:33 adv-env.img
 -rw-r--r-- se.infra/se.infra 42023 2013-11-28 13:33 ani_upload_1_kernel_panic.jpg
 -rw-r--r-- se.infra/se.infra 39255 2013-11-28 13:33 ani_upload_2_cp_crash.jpg
 -rw-r--r-- se.infra/se.infra 47443 2013-11-28 13:33 ani_upload_3_forced_upload.jpg
 -rw-r--r-- se.infra/se.infra 10810 2013-11-28 13:33 ani_upload_4_hardware_reset.jpg
 -rw-r--r-- se.infra/se.infra 11586 2013-11-28 13:33 ani_upload_4_smpl.jpg
 -rw-r--r-- se.infra/se.infra 54151 2013-11-28 13:33 ani_upload_4_unknown_reset.jpg
 -rw-r--r-- se.infra/se.infra 11495 2013-11-28 13:33 ani_upload_4_watchdog_reset.jpg
 -rw-r--r-- se.infra/se.infra 12276 2013-11-28 13:33 ani_upload_4_wtsr.jpg
 -rw-r--r-- se.infra/se.infra  9703 2013-11-28 13:33 ani_upload_4_wtsr_smpl.jpg
 -rw-r--r-- se.infra/se.infra 12711 2013-11-28 13:33 ani_upload_5_user_fault.jpg
 -rw-r--r-- se.infra/se.infra 19098 2013-11-28 13:33 ani_upload_6_hsic_disconnected.jpg
 -rw-r--r-- se.infra/se.infra 84123 2013-11-28 13:33 download_error.jpg
 -rw-r--r-- se.infra/se.infra 73061 2013-11-28 13:33 download.jpg
 -rw-r--r-- se.infra/se.infra 64410 2013-11-28 13:33 logo.jpg
 -rw-r--r-- se.infra/se.infra 37205 2013-11-28 13:33 lpm.jpg
 -rw-r--r-- se.infra/se.infra 36572 2013-11-28 13:33 lpm_wireless.jpg
 -rw-r--r-- se.infra/se.infra 91511 2013-11-28 13:33 secure_error.jpg
 -rwxr-xr-x se.infra/se.infra  5851 2013-11-28 13:33 sud_0.jpg
 -rwxr-xr-x se.infra/se.infra  2713 2013-11-28 13:33 sud_1.jpg
 -rwxr-xr-x se.infra/se.infra  5634 2013-11-28 13:33 sud_2.jpg
 -rwxr-xr-x se.infra/se.infra  6292 2013-11-28 13:33 sud_3.jpg
 -rwxr-xr-x se.infra/se.infra  4604 2013-11-28 13:33 sud_4.jpg
 -rwxr-xr-x se.infra/se.infra  5706 2013-11-28 13:33 sud_5.jpg
 -rwxr-xr-x se.infra/se.infra  6792 2013-11-28 13:33 sud_6.jpg
 -rwxr-xr-x se.infra/se.infra  3885 2013-11-28 13:33 sud_7.jpg
 -rwxr-xr-x se.infra/se.infra  6826 2013-11-28 13:33 sud_8.jpg
 -rwxr-xr-x se.infra/se.infra  6528 2013-11-28 13:33 sud_9.jpg
 -rw-r--r-- se.infra/se.infra 168616 2013-11-28 13:33 warning.jpg
 </pre>
 The size of the PARAM.img file is exactly 8MiB:
 <pre>
 $ ls -lah PARAM.img
 [...] 8.0M [...] PARAM.img
 $ ls -la PARAM.img
 [...] 8388608 [...] PARAM.img
 </pre>
 And we can get the size of the tarball with --totals:
 <pre>
 $ man tar
   [...]
   --totals[=SIGNAL]
          Print  total bytes after processing the archive. [...]
 </pre>
 For example:
 <pre>
 $ tar  --totals -tf PARAM.img
 adv-env.img
 [many files]
 warning.jpg
 Total bytes read: 911360 (890KiB, 286MiB/s)
 </pre>
 So here the tarball terminates way beyond the end.
 is 0xde800:
 <pre>
 $ python
 [...]
 >>> hex(911360)
 '0xde800'
 </pre>
 But we still have things after the tarball:
 <pre>
 $ hexdump -C PARAM.img
 dd4a0  05 00 14 00 50 07 ff d9  00 00 00 00 00 00 00 00  |....P...........|
 dd4b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00700000  03 00 fe ca 00 01 00 00  00 00 00 00 00 00 00 00  |................|
 00700010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00700200  00 00 00 00 03 00 00 00  4c 4f 00 00 00 00 00 00  |........LO......|
 00700210  00 00 00 00 03 00 00 00  01 00 00 00 00 00 00 00  |................|
 00700220  00 00 00 00 00 00 00 00  63 6f 6e 73 6f 6c 65 3d  |........console=|
 00700230  72 61 6d 20 6c 6f 67 6c  65 76 65 6c 3d 34 00 00  |ram loglevel=4..|
 00700240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 e20  00 00 00 00 00 00 00 00  ff ff ff ff ff ef 7f ff  |................|
 e30  ff ff f7 ff ff ff f7 ff  ff fe ff ff ff ff 7f ff  |................|
 e40  fb ef ff ff ff fb ff df  ff ff ff ff ff ff ff ff  |................|
 e50  df bf ff ff 7f ef f7 ff  f7 ff ff ff ff fe ff ff  |................|
 e60  ff ff ff ff ef fb ff ef  ff fb ff ff fd ff f7 ef  |................|
 e70  ff ff ff ff f5 ff ff ff  ff ff ff ff ff ff ff ff  |................|
 e80  ff ff ff fe ff ef ff ff  ff bf fd ff ff ff ff ff  |................|
 e90  ff ff ff ff ff ff f7 fb  ff ff ff eb ff ff ff eb  |................|
 ea0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff fb  |................|
 eb0  ff ff ff ff ff ff ff ff  ff ff ff df ff ff ff ff  |................|
 ec0  ff ff ff ff ff ff f7 ff  ff ff ff ff ff ff ff ff  |................|
 ed0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff fb  |................|
 ee0  df ff ff ff ff ff ff ff  ff ff ff ff ff ff d7 ff  |................|
 ef0  ff ff ff af ff ff ff fe  ff ff ff ff ff ff ff ff  |................|
 f00  ff ef ff ff ff 7f ff ff  ff df ff ff f7 ff ff ff  |................|
 f10  ff ff ff ff ff ff ff ff  ff ff ff ef ff ff f7 ff  |................|
 f20  ff ff ff ff ff ff ff ff  ff fe ef ff ff ef fb df  |................|
 f30  ff ff ff ff ff fb ff ff  ff ff ff ff ff ff ff ff  |................|
 f40  ff ff f5 ff ff ff ff fb  ff ff ff ff ff ff ff ff  |................|
 f50  fb ff ff fb fd ff ff ff  ff ff ff ff ff ff ff ff  |................|
 f60  f7 ff ff ef f7 ff ff ef  ff ff ff ff ff 9e ff fd  |................|
 f70  ff ff ff ff fb ff ff de  f3 fb ff ff ff ef df ff  |................|
 f80  ff ff ff ff ff fb ff bf  ff ff ff ff ff ff ff fd  |................|
 f90  ff fe f7 fe ff eb ff ff  ff fb ff ff df ff ff ff  |................|
 fa0  df ff ff ff ff ff ff ff  ff ff fb ff ff ff ff fb  |................|
 fb0  ff ff ff df ff ff ff ff  fe fe fe ff ff f7 ff ff  |................|
 fc0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff fb  |................|
 fd0  fd ff ff ff ff fd ff ff  ff ff ff ff fe ff ff ff  |................|
 fe0  ff ff df ff ff ff ff fb  ff ff ff ff ff ff ff ff  |................|
 ff0  ff f7 df ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
 00701000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 ffc00  d4 ad 55 ff 52 e9 ed 4c  f8 d1 9c 08 79 b6 e9 6c  |..U.R..L....y..l|
 ffc10  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00800000
 </pre>
 Questions:
 * Can we ignore what is after the tarball and grow it to 8MiB?
 * Does what's after contains encrypted data for the bootloader?
 Denis 'GNUtoo'  Carikli
 h2. adv_env.img
 Here's the content of the adv-env.img file:
 <pre>
 $ hexdump -C adv-env.img
 00000000  03 00 fe ca 00 01 00 00  00 00 00 00 00 00 00 00  |................|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00000200  04 00 00 00 01 00 00 00  4c 4f 00 00 00 00 00 00  |........LO......|
 00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000220  00 00 00 00 00 00 00 00  63 6f 6e 73 6f 6c 65 3d  |........console=|
 00000230  72 61 6d 20 6c 6f 67 6c  65 76 65 6c 3d 34 00 00  |ram loglevel=4..|
 00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 e20  00 00 00 00 00 00 00 00                           |........|
 e28
 </pre>
 Questions:
 * Why are the kernel parameters repeated again after the end of the tarball?
 * Where are the updated kernel parameters stored?
 * Are the default and in-use kernel parameters stored at different location?
 Denis 'GNUtoo'  Carikli
 h2. kenrel command line
 *Default kernel command line*: @console=ram loglevel=4@
 Test:
 * change to @console=ram loglevel=8@ through the bootloader setenv command
 * run saveenv
 * reboot and validate that it's really changed with printenv
 * observe the results on the filesystem
 See [[MidasBootloader]] for more details on how to change the command line parameters.
 After changing the environment variable, we still have loglevel=4 in the adv-env.img file that is in the tarball:
 adv-env.img
 <pre>
 $ hexdump -C adv-env.img
 00000000  03 00 fe ca 00 01 00 00  00 00 00 00 00 00 00 00  |................|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 00000200  04 00 00 00 01 00 00 00  4c 4f 00 00 00 00 00 00  |........LO......|
 00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000220  00 00 00 00 00 00 00 00  63 6f 6e 73 6f 6c 65 3d  |........console=|
 00000230  72 61 6d 20 6c 6f 67 6c  65 76 65 6c 3d 34 00 00  |ram loglevel=4..|
 00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 e20  00 00 00 00 00 00 00 00                           |........|
 e28
 </pre>
 So these must be the default parameters.
 And the actual kernel parameters were instead saved after the tarball:
 <pre>
 $ hexdump PARAM.img
+*
 00700200  00 00 00 00 03 00 00 00  4c 4f 00 00 00 00 00 00  |........LO......|
 00700210  00 00 00 00 03 00 00 00  01 00 00 00 00 00 00 00  |................|
 00700220  00 00 00 00 00 00 00 00  63 6f 6e 73 6f 6c 65 3d  |........console=|
 00700230  72 61 6d 20 6c 6f 67 6c  65 76 65 6c 3d 38 00 00  |ram loglevel=8..|
 00700240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
 </pre>
 *Results:*
 * Since the s-boot 4.0 bootloader on several Exynos 4412 devices (GT-I9300, GT-I9305, GT-N7100, GT-N7105) doesn't take into account the boot.img kenrel parameters, we can then try to change them by editing the PARAM.img after the tarball.
 * There is valuable info after the tarball => don't make the tarball grow too much.
 Denis 'GNUtoo'  Carikli
 h2. USB switch
 On a GT-I9300, if I set the address @0x00700204@ to @00@, it switch to the USB to the modem's USB, and @Bus 002 Device 095: ID 1519:0020 Comneon HSIC Device@ appears when connecting the GT-I9300 to a computer.
 When I set it back to @01@, I can have ADB again.
-Denis 'GNUtoo'  Carikli
+Here's the diff:
 <pre>
-Denis 'GNUtoo'  Carikli
+$ vbindiff PARAM.img PARAM.img.new
 PARAM.img
-Denis 'GNUtoo'  Carikli
+0204: 00 00 00 00 4C 4F 00 00  00 00 00 00 00 00 00 00  ....LO.. ........
 0214: 03 00 00 00 01 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0224: 00 00 00 00 63 6F 6E 73  6F 6C 65 3D 72 61 6D 20  ....cons ole=ram
 0234: 6C 6F 67 6C 65 76 65 6C  3D 38 00 00 00 00 00 00  loglevel =8......
 0244: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0254: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0264: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0274: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0284: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0294: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02A4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02B4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02C4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02D4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02E4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02F4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 PARAM.img.new
 0204: 01 00 00 00 4C 4F 00 00  00 00 00 00 00 00 00 00  ....LO.. ........
 0214: 03 00 00 00 01 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0224: 00 00 00 00 63 6F 6E 73  6F 6C 65 3D 72 61 6D 20  ....cons ole=ram
 0234: 6C 6F 67 6C 65 76 65 6C  3D 38 00 00 00 00 00 00  loglevel =8......
 0244: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0254: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0264: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0274: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0284: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 0294: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02A4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02B4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02C4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02D4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02E4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 02F4: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 ┌──────────────────────────────────────────────────────────────────────────────┐
 │Arrow keys move  F find      RET next difference  ESC quit  T move top        │
 │C ASCII/EBCDIC   E edit file   G goto position      Q quit  B move bottom     │
 └──────────────────────────────────────────────────────────────────────────────┘
 </pre>
 You can also get that behavior with the stock OS if you go to the phone application and enter *#7284# and set "USB" to
 "MODEM" and tap "SAVE and RESET". After that phone will reboot and you'll see the modem when connecting the GT-I9300 to a computer through USB.

Project

General

Profile

Replicant

GTI9300PARAM » History » Version 6