GTI9300PARAM » History » Revision 6
Revision 5 (Denis 'GNUtoo' Carikli, 01/31/2022 09:01 AM) → Revision 6/19 (Denis 'GNUtoo' Carikli, 01/31/2022 09:18 AM)
{{toc}} h1. GTI9300PARAM You can dump the PARAM partition for the Galaxy SIII (GT-I9300) like that: <pre> adb pull /dev/block/platform/dw_mmc/by-name/PARAM PARAM.img </pre> That file at first looks like a tar archive. <pre> $ file PARAM.img PARAM.img: POSIX tar archive (GNU) </pre> And it indeed does contain a tarball: <pre> $ tar tvf PARAM.img -rw-r--r-- se.infra/se.infra 3624 2013-11-28 13:33 adv-env.img -rw-r--r-- se.infra/se.infra 42023 2013-11-28 13:33 ani_upload_1_kernel_panic.jpg -rw-r--r-- se.infra/se.infra 39255 2013-11-28 13:33 ani_upload_2_cp_crash.jpg -rw-r--r-- se.infra/se.infra 47443 2013-11-28 13:33 ani_upload_3_forced_upload.jpg -rw-r--r-- se.infra/se.infra 10810 2013-11-28 13:33 ani_upload_4_hardware_reset.jpg -rw-r--r-- se.infra/se.infra 11586 2013-11-28 13:33 ani_upload_4_smpl.jpg -rw-r--r-- se.infra/se.infra 54151 2013-11-28 13:33 ani_upload_4_unknown_reset.jpg -rw-r--r-- se.infra/se.infra 11495 2013-11-28 13:33 ani_upload_4_watchdog_reset.jpg -rw-r--r-- se.infra/se.infra 12276 2013-11-28 13:33 ani_upload_4_wtsr.jpg -rw-r--r-- se.infra/se.infra 9703 2013-11-28 13:33 ani_upload_4_wtsr_smpl.jpg -rw-r--r-- se.infra/se.infra 12711 2013-11-28 13:33 ani_upload_5_user_fault.jpg -rw-r--r-- se.infra/se.infra 19098 2013-11-28 13:33 ani_upload_6_hsic_disconnected.jpg -rw-r--r-- se.infra/se.infra 84123 2013-11-28 13:33 download_error.jpg -rw-r--r-- se.infra/se.infra 73061 2013-11-28 13:33 download.jpg -rw-r--r-- se.infra/se.infra 64410 2013-11-28 13:33 logo.jpg -rw-r--r-- se.infra/se.infra 37205 2013-11-28 13:33 lpm.jpg -rw-r--r-- se.infra/se.infra 36572 2013-11-28 13:33 lpm_wireless.jpg -rw-r--r-- se.infra/se.infra 91511 2013-11-28 13:33 secure_error.jpg -rwxr-xr-x se.infra/se.infra 5851 2013-11-28 13:33 sud_0.jpg -rwxr-xr-x se.infra/se.infra 2713 2013-11-28 13:33 sud_1.jpg -rwxr-xr-x se.infra/se.infra 5634 2013-11-28 13:33 sud_2.jpg -rwxr-xr-x se.infra/se.infra 6292 2013-11-28 13:33 sud_3.jpg -rwxr-xr-x se.infra/se.infra 4604 2013-11-28 13:33 sud_4.jpg -rwxr-xr-x se.infra/se.infra 5706 2013-11-28 13:33 sud_5.jpg -rwxr-xr-x se.infra/se.infra 6792 2013-11-28 13:33 sud_6.jpg -rwxr-xr-x se.infra/se.infra 3885 2013-11-28 13:33 sud_7.jpg -rwxr-xr-x se.infra/se.infra 6826 2013-11-28 13:33 sud_8.jpg -rwxr-xr-x se.infra/se.infra 6528 2013-11-28 13:33 sud_9.jpg -rw-r--r-- se.infra/se.infra 168616 2013-11-28 13:33 warning.jpg </pre> The size of the PARAM.img file is exactly 8MiB: <pre> $ ls -lah PARAM.img [...] 8.0M [...] PARAM.img $ ls -la PARAM.img [...] 8388608 [...] PARAM.img </pre> And we can get the size of the tarball with --totals: <pre> $ man tar [...] --totals[=SIGNAL] Print total bytes after processing the archive. [...] </pre> For example: <pre> $ tar --totals -tf PARAM.img adv-env.img [many files] warning.jpg Total bytes read: 911360 (890KiB, 286MiB/s) </pre> So here the tarball terminates way beyond the end. 911360 is 0xde800: <pre> $ python [...] >>> hex(911360) '0xde800' </pre> But we still have things after the tarball: <pre> $ hexdump -C PARAM.img 000dd4a0 05 00 14 00 50 07 ff d9 00 00 00 00 00 00 00 00 |....P...........| 000dd4b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00700000 03 00 fe ca 00 01 00 00 00 00 00 00 00 00 00 00 |................| 00700010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00700200 00 00 00 00 03 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......| 00700210 00 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 |................| 00700220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=| 00700230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 34 00 00 |ram loglevel=4..| 00700240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00700e20 00 00 00 00 00 00 00 00 ff ff ff ff ff ef 7f ff |................| 00700e30 ff ff f7 ff ff ff f7 ff ff fe ff ff ff ff 7f ff |................| 00700e40 fb ef ff ff ff fb ff df ff ff ff ff ff ff ff ff |................| 00700e50 df bf ff ff 7f ef f7 ff f7 ff ff ff ff fe ff ff |................| 00700e60 ff ff ff ff ef fb ff ef ff fb ff ff fd ff f7 ef |................| 00700e70 ff ff ff ff f5 ff ff ff ff ff ff ff ff ff ff ff |................| 00700e80 ff ff ff fe ff ef ff ff ff bf fd ff ff ff ff ff |................| 00700e90 ff ff ff ff ff ff f7 fb ff ff ff eb ff ff ff eb |................| 00700ea0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................| 00700eb0 ff ff ff ff ff ff ff ff ff ff ff df ff ff ff ff |................| 00700ec0 ff ff ff ff ff ff f7 ff ff ff ff ff ff ff ff ff |................| 00700ed0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................| 00700ee0 df ff ff ff ff ff ff ff ff ff ff ff ff ff d7 ff |................| 00700ef0 ff ff ff af ff ff ff fe ff ff ff ff ff ff ff ff |................| 00700f00 ff ef ff ff ff 7f ff ff ff df ff ff f7 ff ff ff |................| 00700f10 ff ff ff ff ff ff ff ff ff ff ff ef ff ff f7 ff |................| 00700f20 ff ff ff ff ff ff ff ff ff fe ef ff ff ef fb df |................| 00700f30 ff ff ff ff ff fb ff ff ff ff ff ff ff ff ff ff |................| 00700f40 ff ff f5 ff ff ff ff fb ff ff ff ff ff ff ff ff |................| 00700f50 fb ff ff fb fd ff ff ff ff ff ff ff ff ff ff ff |................| 00700f60 f7 ff ff ef f7 ff ff ef ff ff ff ff ff 9e ff fd |................| 00700f70 ff ff ff ff fb ff ff de f3 fb ff ff ff ef df ff |................| 00700f80 ff ff ff ff ff fb ff bf ff ff ff ff ff ff ff fd |................| 00700f90 ff fe f7 fe ff eb ff ff ff fb ff ff df ff ff ff |................| 00700fa0 df ff ff ff ff ff ff ff ff ff fb ff ff ff ff fb |................| 00700fb0 ff ff ff df ff ff ff ff fe fe fe ff ff f7 ff ff |................| 00700fc0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................| 00700fd0 fd ff ff ff ff fd ff ff ff ff ff ff fe ff ff ff |................| 00700fe0 ff ff df ff ff ff ff fb ff ff ff ff ff ff ff ff |................| 00700ff0 ff f7 df ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 00701000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 007ffc00 d4 ad 55 ff 52 e9 ed 4c f8 d1 9c 08 79 b6 e9 6c |..U.R..L....y..l| 007ffc10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00800000 </pre> Questions: * Can we ignore what is after the tarball and grow it to 8MiB? * Does what's after contains encrypted data for the bootloader? h2. adv_env.img Here's the content of the adv-env.img file: <pre> $ hexdump -C adv-env.img 00000000 03 00 fe ca 00 01 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200 04 00 00 00 01 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......| 00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=| 00000230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 34 00 00 |ram loglevel=4..| 00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000e20 00 00 00 00 00 00 00 00 |........| 00000e28 </pre> Questions: * Why are the kernel parameters repeated again after the end of the tarball? * Where are the updated kernel parameters stored? * Are the default and in-use kernel parameters stored at different location? h2. kenrel command line *Default kernel command line*: @console=ram loglevel=4@ Test: * change to @console=ram loglevel=8@ through the bootloader setenv command * run saveenv * reboot and validate that it's really changed with printenv * observe the results on the filesystem See [[MidasBootloader]] for more details on how to change the command line parameters. After changing the environment variable, we still have loglevel=4 in the adv-env.img file that is in the tarball: adv-env.img <pre> $ hexdump -C adv-env.img 00000000 03 00 fe ca 00 01 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200 04 00 00 00 01 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......| 00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=| 00000230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 34 00 00 |ram loglevel=4..| 00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000e20 00 00 00 00 00 00 00 00 |........| 00000e28 </pre> So these must be the default parameters. And the actual kernel parameters were instead saved after the tarball: <pre> $ hexdump PARAM.img * 00700200 00 00 00 00 03 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......| 00700210 00 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 |................| 00700220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=| 00700230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 38 00 00 |ram loglevel=8..| 00700240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * </pre> *Results:* * Since the s-boot 4.0 bootloader on several Exynos 4412 devices (GT-I9300, GT-I9305, GT-N7100, GT-N7105) doesn't take into account the boot.img kenrel parameters, we can then try to change them by editing the PARAM.img after the tarball. * There is valuable info after the tarball => don't make the tarball grow too much. h2. USB switch On a GT-I9300, if I set the address @0x00700204@ to @00@, it switch to the USB to the modem's USB, and @Bus 002 Device 095: ID 1519:0020 Comneon HSIC Device@ appears when connecting the GT-I9300 to a computer. When I set it back to @01@, I can have ADB again. Here's the diff: <pre> $ vbindiff PARAM.img PARAM.img.new PARAM.img 0070 0204: 00 00 00 00 4C 4F 00 00 00 00 00 00 00 00 00 00 ....LO.. ........ 0070 0214: 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0224: 00 00 00 00 63 6F 6E 73 6F 6C 65 3D 72 61 6D 20 ....cons ole=ram 0070 0234: 6C 6F 67 6C 65 76 65 6C 3D 38 00 00 00 00 00 00 loglevel =8...... 0070 0244: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0254: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0264: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0274: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0284: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0294: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02A4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02B4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02C4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02D4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02E4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02F4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ PARAM.img.new 0070 0204: 01 00 00 00 4C 4F 00 00 00 00 00 00 00 00 00 00 ....LO.. ........ 0070 0214: 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0224: 00 00 00 00 63 6F 6E 73 6F 6C 65 3D 72 61 6D 20 ....cons ole=ram 0070 0234: 6C 6F 67 6C 65 76 65 6C 3D 38 00 00 00 00 00 00 loglevel =8...... 0070 0244: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0254: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0264: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0274: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0284: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 0294: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02A4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02B4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02C4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02D4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02E4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 02F4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ ┌──────────────────────────────────────────────────────────────────────────────┐ │Arrow keys move F find RET next difference ESC quit T move top │ │C ASCII/EBCDIC E edit file G goto position Q quit B move bottom │ └──────────────────────────────────────────────────────────────────────────────┘ </pre> You can also get that behavior with the stock OS if you go to the phone application and enter *#7284# and set "USB" to "MODEM" and tap "SAVE and RESET". After that phone will reboot and you'll see the modem when connecting the GT-I9300 to a computer through USB.