GTI9300PARAM » History » Revision 8
Revision 7 (Denis 'GNUtoo' Carikli, 01/31/2022 12:43 PM) → Revision 8/19 (Denis 'GNUtoo' Carikli, 01/31/2022 12:58 PM)
{{toc}}
h1. GTI9300PARAM
You can dump the PARAM partition for the Galaxy SIII (GT-I9300) like that:
<pre>
adb pull /dev/block/platform/dw_mmc/by-name/PARAM PARAM.img
</pre>
That file at first looks like a tar archive.
<pre>
$ file PARAM.img
PARAM.img: POSIX tar archive (GNU)
</pre>
And it indeed does contain a tarball:
<pre>
$ tar tvf PARAM.img
-rw-r--r-- se.infra/se.infra 3624 2013-11-28 13:33 adv-env.img
-rw-r--r-- se.infra/se.infra 42023 2013-11-28 13:33 ani_upload_1_kernel_panic.jpg
-rw-r--r-- se.infra/se.infra 39255 2013-11-28 13:33 ani_upload_2_cp_crash.jpg
-rw-r--r-- se.infra/se.infra 47443 2013-11-28 13:33 ani_upload_3_forced_upload.jpg
-rw-r--r-- se.infra/se.infra 10810 2013-11-28 13:33 ani_upload_4_hardware_reset.jpg
-rw-r--r-- se.infra/se.infra 11586 2013-11-28 13:33 ani_upload_4_smpl.jpg
-rw-r--r-- se.infra/se.infra 54151 2013-11-28 13:33 ani_upload_4_unknown_reset.jpg
-rw-r--r-- se.infra/se.infra 11495 2013-11-28 13:33 ani_upload_4_watchdog_reset.jpg
-rw-r--r-- se.infra/se.infra 12276 2013-11-28 13:33 ani_upload_4_wtsr.jpg
-rw-r--r-- se.infra/se.infra 9703 2013-11-28 13:33 ani_upload_4_wtsr_smpl.jpg
-rw-r--r-- se.infra/se.infra 12711 2013-11-28 13:33 ani_upload_5_user_fault.jpg
-rw-r--r-- se.infra/se.infra 19098 2013-11-28 13:33 ani_upload_6_hsic_disconnected.jpg
-rw-r--r-- se.infra/se.infra 84123 2013-11-28 13:33 download_error.jpg
-rw-r--r-- se.infra/se.infra 73061 2013-11-28 13:33 download.jpg
-rw-r--r-- se.infra/se.infra 64410 2013-11-28 13:33 logo.jpg
-rw-r--r-- se.infra/se.infra 37205 2013-11-28 13:33 lpm.jpg
-rw-r--r-- se.infra/se.infra 36572 2013-11-28 13:33 lpm_wireless.jpg
-rw-r--r-- se.infra/se.infra 91511 2013-11-28 13:33 secure_error.jpg
-rwxr-xr-x se.infra/se.infra 5851 2013-11-28 13:33 sud_0.jpg
-rwxr-xr-x se.infra/se.infra 2713 2013-11-28 13:33 sud_1.jpg
-rwxr-xr-x se.infra/se.infra 5634 2013-11-28 13:33 sud_2.jpg
-rwxr-xr-x se.infra/se.infra 6292 2013-11-28 13:33 sud_3.jpg
-rwxr-xr-x se.infra/se.infra 4604 2013-11-28 13:33 sud_4.jpg
-rwxr-xr-x se.infra/se.infra 5706 2013-11-28 13:33 sud_5.jpg
-rwxr-xr-x se.infra/se.infra 6792 2013-11-28 13:33 sud_6.jpg
-rwxr-xr-x se.infra/se.infra 3885 2013-11-28 13:33 sud_7.jpg
-rwxr-xr-x se.infra/se.infra 6826 2013-11-28 13:33 sud_8.jpg
-rwxr-xr-x se.infra/se.infra 6528 2013-11-28 13:33 sud_9.jpg
-rw-r--r-- se.infra/se.infra 168616 2013-11-28 13:33 warning.jpg
</pre>
The size of the PARAM.img file is exactly 8MiB:
<pre>
$ ls -lah PARAM.img
[...] 8.0M [...] PARAM.img
$ ls -la PARAM.img
[...] 8388608 [...] PARAM.img
</pre>
And we can get the size of the tarball with --totals:
<pre>
$ man tar
[...]
--totals[=SIGNAL]
Print total bytes after processing the archive. [...]
</pre>
For example:
<pre>
$ tar --totals -tf PARAM.img
adv-env.img
[many files]
warning.jpg
Total bytes read: 911360 (890KiB, 286MiB/s)
</pre>
So here the tarball terminates way before the end of the PARAM.img file.
911360 is 0xde800:
<pre>
$ python
[...]
>>> hex(911360)
'0xde800'
</pre>
But we still have things after the tarball:
<pre>
$ hexdump -C PARAM.img
000dd4a0 05 00 14 00 50 07 ff d9 00 00 00 00 00 00 00 00 |....P...........|
000dd4b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00700000 03 00 fe ca 00 01 00 00 00 00 00 00 00 00 00 00 |................|
00700010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00700200 00 00 00 00 03 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......|
00700210 00 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 |................|
00700220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=|
00700230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 34 00 00 |ram loglevel=4..|
00700240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00700e20 00 00 00 00 00 00 00 00 ff ff ff ff ff ef 7f ff |................|
00700e30 ff ff f7 ff ff ff f7 ff ff fe ff ff ff ff 7f ff |................|
00700e40 fb ef ff ff ff fb ff df ff ff ff ff ff ff ff ff |................|
00700e50 df bf ff ff 7f ef f7 ff f7 ff ff ff ff fe ff ff |................|
00700e60 ff ff ff ff ef fb ff ef ff fb ff ff fd ff f7 ef |................|
00700e70 ff ff ff ff f5 ff ff ff ff ff ff ff ff ff ff ff |................|
00700e80 ff ff ff fe ff ef ff ff ff bf fd ff ff ff ff ff |................|
00700e90 ff ff ff ff ff ff f7 fb ff ff ff eb ff ff ff eb |................|
00700ea0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................|
00700eb0 ff ff ff ff ff ff ff ff ff ff ff df ff ff ff ff |................|
00700ec0 ff ff ff ff ff ff f7 ff ff ff ff ff ff ff ff ff |................|
00700ed0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................|
00700ee0 df ff ff ff ff ff ff ff ff ff ff ff ff ff d7 ff |................|
00700ef0 ff ff ff af ff ff ff fe ff ff ff ff ff ff ff ff |................|
00700f00 ff ef ff ff ff 7f ff ff ff df ff ff f7 ff ff ff |................|
00700f10 ff ff ff ff ff ff ff ff ff ff ff ef ff ff f7 ff |................|
00700f20 ff ff ff ff ff ff ff ff ff fe ef ff ff ef fb df |................|
00700f30 ff ff ff ff ff fb ff ff ff ff ff ff ff ff ff ff |................|
00700f40 ff ff f5 ff ff ff ff fb ff ff ff ff ff ff ff ff |................|
00700f50 fb ff ff fb fd ff ff ff ff ff ff ff ff ff ff ff |................|
00700f60 f7 ff ff ef f7 ff ff ef ff ff ff ff ff 9e ff fd |................|
00700f70 ff ff ff ff fb ff ff de f3 fb ff ff ff ef df ff |................|
00700f80 ff ff ff ff ff fb ff bf ff ff ff ff ff ff ff fd |................|
00700f90 ff fe f7 fe ff eb ff ff ff fb ff ff df ff ff ff |................|
00700fa0 df ff ff ff ff ff ff ff ff ff fb ff ff ff ff fb |................|
00700fb0 ff ff ff df ff ff ff ff fe fe fe ff ff f7 ff ff |................|
00700fc0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................|
00700fd0 fd ff ff ff ff fd ff ff ff ff ff ff fe ff ff ff |................|
00700fe0 ff ff df ff ff ff ff fb ff ff ff ff ff ff ff ff |................|
00700ff0 ff f7 df ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
00701000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
007ffc00 d4 ad 55 ff 52 e9 ed 4c f8 d1 9c 08 79 b6 e9 6c |..U.R..L....y..l|
007ffc10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00800000
</pre>
Questions:
* Can we ignore what is after the tarball and grow it to 8MiB?
* Does what's after contains encrypted data for the bootloader?
h2. adv_env.img
Here's the content of the adv-env.img file:
<pre>
$ hexdump -C adv-env.img
00000000 03 00 fe ca 00 01 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000200 04 00 00 00 01 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=|
00000230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 34 00 00 |ram loglevel=4..|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000e20 00 00 00 00 00 00 00 00 |........|
00000e28
</pre>
Questions:
* Why are the kernel parameters repeated again after the end of the tarball?
* Where are the updated kernel parameters stored?
* Are the default and in-use kernel parameters stored at different location?
h2. kenrel command line
*Default kernel command line*: @console=ram loglevel=4@
Test:
* change to @console=ram loglevel=8@ through the bootloader setenv command
* run saveenv
* reboot and validate that it's really changed with printenv
* observe the results on the filesystem
See [[MidasBootloader]] for more details on how to change the command line parameters.
After changing the environment variable, we still have loglevel=4 in the adv-env.img file that is in the tarball:
adv-env.img
<pre>
$ hexdump -C adv-env.img
00000000 03 00 fe ca 00 01 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000200 04 00 00 00 01 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=|
00000230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 34 00 00 |ram loglevel=4..|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000e20 00 00 00 00 00 00 00 00 |........|
00000e28
</pre>
So these must be the default parameters.
And the actual kernel parameters were instead saved after the tarball:
<pre>
$ hexdump PARAM.img
*
00700200 00 00 00 00 03 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......|
00700210 00 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 |................|
00700220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=|
00700230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 38 00 00 |ram loglevel=8..|
00700240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
</pre>
*Results:*
* Since the s-boot 4.0 bootloader on several Exynos 4412 devices (GT-I9300, GT-I9305, GT-N7100, GT-N7105) doesn't take into account the boot.img kenrel parameters, we can then try to change them by editing the PARAM.img after the tarball.
* There is valuable info after the tarball => don't make the tarball grow too much.
h2. USB switch
On a GT-I9300, if I set the address @0x00700204@ to @00@, it switch to the USB to the modem's USB, and @Bus 002 Device 095: ID 1519:0020 Comneon HSIC Device@ appears when connecting the GT-I9300 to a computer.
When I set it back to @01@, I can have ADB again.
Here's the diff:
<pre>
$ vbindiff PARAM.img PARAM.img.new
PARAM.img
0070 0204: 00 00 00 00 4C 4F 00 00 00 00 00 00 00 00 00 00 ....LO.. ........
0070 0214: 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0224: 00 00 00 00 63 6F 6E 73 6F 6C 65 3D 72 61 6D 20 ....cons ole=ram
0070 0234: 6C 6F 67 6C 65 76 65 6C 3D 38 00 00 00 00 00 00 loglevel =8......
0070 0244: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0254: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0264: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0274: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0284: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0294: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02A4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02B4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02C4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02D4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02E4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02F4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
PARAM.img.new
0070 0204: 01 00 00 00 4C 4F 00 00 00 00 00 00 00 00 00 00 ....LO.. ........
0070 0214: 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0224: 00 00 00 00 63 6F 6E 73 6F 6C 65 3D 72 61 6D 20 ....cons ole=ram
0070 0234: 6C 6F 67 6C 65 76 65 6C 3D 38 00 00 00 00 00 00 loglevel =8......
0070 0244: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0254: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0264: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0274: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0284: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0294: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02A4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02B4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02C4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02D4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02E4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02F4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
┌──────────────────────────────────────────────────────────────────────────────┐
│Arrow keys move F find RET next difference ESC quit T move top │
│C ASCII/EBCDIC E edit file G goto position Q quit B move bottom │
└──────────────────────────────────────────────────────────────────────────────┘
</pre>
You can also get that behavior with the stock OS if you go to the phone application and enter *#7284# and set "USB" to
"MODEM" and tap "SAVE and RESET". After that phone will reboot and you'll see the modem when connecting the GT-I9300 to a computer through USB.