MoDaCo is undergoing planned maintenance. Site functionality may be reduced - follow @modaco or @paulobrien on Twitter for updates.

  • Announcements

    • Reminder - MoDaCo position on illegal content

      ILLEGAL CONTENT I'd like to just reaffirm MoDaCo's position regarding piracy and illegal content in the light of some recent questions / postings. Posts will be censored by myself or my moderation team if the contain or link to: Illegal / pirated / cracked software or sites that host such software
      Nintendo emulators / ROMs or sites hosting them (in light of Nintendo's legal stance)


      CUSTOM ROMS

      You may discuss and post links to custom device ROMs on MoDaCo, provided the following rules are adhered to: ROMs must not be hosted directly in topic via the MoDaCo attachment system
      ROMs must not contain any illegal 3rd party software (this includes trial versions included without permission)
      ROMs must give full credit to the original author
      This decision has been taken in light of the huge amount of interest in this area of device customisation within the community, and member feedback! Please note that custom ROM discussion should be kept in specific device sub-areas, (e.g. Kaiser.MoDaCo.com for Kaiser based devices). ISSUES If you have any issues with this policy, please contact me directly via PM. P
    • Support MoDaCo by signing up to a MoDaCo Silver or Gold membership

      To sign up to an annual MoDaCo Silver subscription which will eliminate all ads from the site (as well as giving you access to the MoDaCo Online Kitchens for Android) for only £9.99 using PayPal, Credit or Debit Card, ensure you are logged in to the site, and then click the link below, which will take you directly to the subscription store! You can also sign up to an annual MoDaCo Gold subscription for £29.99, which adds the benefits listed below! PURCHASE A MODACO SUBSCRIPTION - FREE Titanium Backup Mobile for Android worth $5.99! - FREE 1 year PrivateInternetAccess.com worth $39.95! - FREE 1 year LastPass Premium worth $12! - FREE CalcConvert for Pocket PC from Binaryfish worth $17.95! - FREE Calendar Bar for Pocket PC from OmegaOne worth $9.99! - FREE CamerAware for Pocket PC and Smartphone from MoDaCo worth £19.99 / $30! - FREE Chronos for Pocket PC from ActiveKitten worth $14.95! - FREE CodeWallet Pro for Smartphone and Pocket PC from DeveloperOne worth up to $24.95! - FREE Concentrix for Pocket PC from eSoft Interactive worth $9.95! - FREE FlexMail for Pocket PC and Smartphone from WebIS worth up to $59.90! - FREE FTouchSL for Pocket PC from Vekoff s.r.o. worth 10 euro / $12.50! - FREE Jewel Challenge for Pocket PC from eSoft Interactive worth $9.95! - FREE John Cody's Alerts Pro for Smartphone from Omnisoft worth $14.95! - FREE LingvoSoft Talking Dictionary 2008 English <-> Dutch for Pocket PC from Lingvosoft worth $49.95! - FREE LingvoSoft Talking Dictionary 2008 English <-> French for Pocket PC from Lingvosoft worth $49.95! - FREE LingvoSoft Talking Dictionary 2008 English <-> German for Pocket PC from Lingvosoft worth $49.95! - FREE LingvoSoft Talking Dictionary 2008 English <-> Italian for Pocket PC from Lingvosoft worth $49.95! - FREE LingvoSoft Talking Dictionary 2008 English <-> Spanish for Pocket PC from Lingvosoft worth $49.95! - FREE LingvoSoft Dictionary English <-> Dutch for Smartphone from Lingvosoft worth $49.95! - FREE LingvoSoft Dictionary English <-> French for Smartphone from Lingvosoft worth $49.95! - FREE LingvoSoft Dictionary English <-> German for Smartphone from Lingvosoft worth $49.95! - FREE LingvoSoft Dictionary English <-> Russian for Smartphone from Lingvosoft worth $49.95! - FREE LingvoSoft Dictionary English <-> Turkish for Smartphone from Lingvosoft worth $49.95! - FREE Note2Self for Pocket PC and Smartphone from WebIS worth up to $19.90! - FREE Opera 8.60 for Pocket PC and Smartphone from Opera Software worth up to $48! - FREE Pocket Informant for Pocket PC and Smartphone from WebIS worth up to $59.90! - FREE Pocket Launcher for Pocket PC and Smartphone from Conduits worth $9.95! - FREE PTab for Pocket PC and Smartphone from z4soft worth up to $60! - FREE Resco Explorer for Pocket PC and Smartphone from Resco worth up to $49.90! - FREE Safemode for Pocket PC from monocube worth $12.95 - FREE SplashPhoto for Pocket PC and Smartphone from SplashData worth up to $59.90! - FREE Sprite Backup for Pocket PC and Smartphone from Sprite Software worth $29.95! - FREE Teksoft Glyphs UI for Pocket PC and Smartphone from Teksoft €9.95! - FREE Teksoft HeadsetRemote for Pocket PC and Smartphone from Teksoft €4.95! - FREE Traffic Jam for Pocket PC from eSoft Interactive worth $9.95! - FREE unlock (1 per year) from imei-check.co.uk - DISCOUNT of 10% at MoDaCo FairDeal - DISCOUNT of 10% at Semsons.com - FORUM - AD FREE SITE - FORUM - custom rank / title - FORUM - double competition entries - FORUM - double post attachment space - FORUM - no search flood control - FORUM - priority event registration - FORUM - triple PM space
    • Reminder: Selling items on the forum directly is not allowed

      Please note that selling items on the forum directly is not allowed by the forum rules. There is a forum for eBay auctions whereby you can list the items on eBay and link to them there. This is the ONLY forum for this type of activity. You may also advertise links to the eBay forum in your signature. Please note that selling directly in contravention of these rules will result in a warning / suspensions / ban.
Sign in to follow this  
Followers 0

Q: Upgrade to latest JB but keep CWM and root

17 posts in this topic

Posted · Report post

I am trying to upgrade my S500 to latest JB system.

First I have lost one afternoon because of a bad USB cable. When I was trying to upgrade my phone

with fastboot after the 'sending bin' message nothing was happening. Other fastboot commands which

did not involve massive transfer of data wew working fine. I took me a while to figure out that the culprit

was a chinese 2m long USB cable. After I've changed it with another shorter cable everything was fine.

So others be aware.

My Device CPU type is 8260a-3

  • I've used leaked firmware Acer_AV051_S500_RV14RB02_WW_GEN1 to flash my phone,
  • Then I've unlocked the bootloader: 'fastboot -i 0x0502 oem unlock'
  • Flashed the recovery: 'fastboot -i 0x0502 flash recovery CWM-6.0.1.5_S500.img'
  • and then the patched boot: 'fastboot -i 0x0502 flash boot boot.img'

All went fine.

Now I want to upgrade to the latest JB available: Acer_AV051.S500.RV04RC09.WW.GEN1

Because I don't want to loose the unlocked bootloader I have used this time the

Acer_Download_Tool_3.006 for Windows (as oposed to my Linux prompt). I did this because

I saw a tickbox in the ADT software which says "flash bootloader before image' so I have unchecked

that tick and flashed with RV04RC09. Unfortunately this replaced the bootloader and the CWM recovery

regardless of my not-ticked option.

So what is the correct procedure to do this update and not lose the unlocked bootloader?

Are there any tools to edit the firmware binary files?

What is the content of the xxx_1.bin and xxx_2.bin files which are present in all the firmware releases?

0

Share this post


Link to post
Share on other sites

Posted · Report post

I've tried to follow your suggestion. The above link doesn't work but I have found the file here.

The install process gives an error and I had to remove the first line of the updater-script:

assert(getprop("ro.product.name") == "s500_ww_gen1");

My phone is a WW_GEN1 but I presume the leaked JB version doesn't set the checked property.

After the update I've ended up with the same problem; both the bootloader and the revive partition were overwritten.

$ grep block updater-script # in SD_Acer_AV051_S500_RV04RC09_WW_GEN1

if mount("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/userdata", "/data") != "/data"

package_extract_file("NON-HLOS.bin", "/dev/block/platform/msm_sdcc.1/by-name/modem");

package_extract_file("sbl1.mbn", "/dev/block/platform/msm_sdcc.1/by-name/sbl1");

package_extract_file("sbl2.mbn", "/dev/block/platform/msm_sdcc.1/by-name/sbl2");

package_extract_file("sbl3.mbn", "/dev/block/platform/msm_sdcc.1/by-name/sbl3");

package_extract_file("rpm.mbn", "/dev/block/platform/msm_sdcc.1/by-name/rpm");

package_extract_file("tz.mbn", "/dev/block/platform/msm_sdcc.1/by-name/tz");

format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "0", "/system");

mount("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "/system");

package_extract_file("boot.img", "/dev/block/platform/msm_sdcc.1/by-name/boot");

package_extract_file("emmc_appsboot.mbn", "/dev/block/platform/msm_sdcc.1/by-name/aboot");

$ grep block updater-script # in Cirrus_ROM-1.0.5b

format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/userdata", "0", "/data");

format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "0", "/system");

mount("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "/system");

package_extract_file("boot.img", "/dev/block/platform/msm_sdcc.1/by-name/boot");

If one compares the two outputs of the grep command one can see that the first update script instructs

the phone to overwrite the bootloader partitions (which I presume are the sbl1 sbl2 sb3)

So I think I further need to edit the update script and ommuit some of the extract commands.

Can someone answer me the following questions:

* is there an utility that splits the xxx_1.bin and xxx_2.bin firmware to its components?

(this will be handy if there is no SD card version of the same firmware available)

* what is the NON-HLOS.bin file ?

* why when I've installed the CWM-6.0.1.5_S500.img in the recovery partition I also had

to write a patched boot.img (which I guess is the Linux kernel); what is the patch purpose?

* what is the 'aboot' partition?

0

Share this post


Link to post
Share on other sites

Posted · Report post

Hi,

I have this kind of tool for my personal use (from decompiled Acer Download Tool), i'll share it later ;)

NON-HLOS.bin is the modem firmware.

Wich patch are you speaking about ?

aboot.mbn is the android bootloader. (more info about Secure Boot 3.0 Boot Loader)

0

Share this post


Link to post
Share on other sites

Posted · Report post

I had a brief look at those merged firmware binaries. What I've noticed so far is that they are indeed just a binary merge of all the

component files; there is no file name or file length stored with the files. Instead you have an encrypted header which probably

contains all this. The first 16 bytes seem to be an AES key and then you have the length of this encypted header. I've already tried

AES encryption/decryption with that key or the swap32 of the key with no success so I think that's just a session key which is either

encrypted with a master key from ROM or just obfuscated with some XOR based function.

This doesn't give up much, it's just a way of comparing various components of the firmware and eventualy being able to reconstruct it

after a change. Each file from the merge is still individually signed. I'll have a look with IDA on ADT too later.

0

Share this post


Link to post
Share on other sites

Posted · Report post

ADT is an .NET/C# app, you can use ILSpy, it will give you source code. You will see how it works to split the bin file.

0

Share this post


Link to post
Share on other sites

Posted (edited) · Report post

IDA can disassemble .NET also you just have to use the Windows version. Here is the the listing of the relevant

part - looks like obfuscated BASIC to me. Entry point is the Decryption_Proc function. So at offset 0x10 you have the folowing

4 integers: EncryptedSize, MergeToolVersion, EncryptionType, FileCount

The AES decryption uses an 16byte IV (initialization vector) followed by 32 bytes of key (so that's aes256).

I'm not positive if this is at offset 0x4f or 0x50 or somewhere else ;-).

I am blind. The key is in the 'Processing.dll' code encoded as a string

Edited by zelea2
0

Share this post


Link to post
Share on other sites

Posted · Report post

ILSpy can decompile (not disassemble) C# to give you source code, that's better to read/understand than assembler code. You can also rebuild the app if you mod it.

Already tried to use the included encrypt methods to rebuild a signed .bin, or a signle file, without success.

0

Share this post


Link to post
Share on other sites

Posted (edited) · Report post

Well I'm a Unix guy and whatever Windows tool I can avoid I'll skip. Next time when I will deal .NET I'll give ILSpy a try.

I've put together a quick C which lists and splits the firmware binary sources and programs here.

I'll add the file split later. Utility finished. I've made executable versions for both Windows and Linux

Why do you try to build back a .bin? You can always make an update.zip file out of the two .bin files and load it with CWM.

Have you figured out what the first 16 bytes of a .bin file are? Maybe those are the missing part.

Edited by zelea2
0

Share this post


Link to post
Share on other sites

Posted · Report post

I have figured out the first 16 bytes: You take the merged file and replace the first 16 bytes with the

"[mgfl_k]:[email protected]" string. You then perform a md5sum over the whole file. The 16 bytes sum is then

overwritten at offset 0. If anybody is interested I can add the functionality to create firmware files

to my program so let me know if you want it. So now I can also use a bin file with just the parameters

and the boot.img file to flash my boot partition as an alternative to the update.zip method.

This is possible only because my phone is unlocked.

If you want to disassemble to bootloader: chop the first 0x28 bytes from emmc_appsboot.mbn and create

emmc_appsboot.bin. The loading address is at offset 0xc in the mbn file (in this case 0x88f00000)

I have spent some time looking at this code in IDA. You can browse the listing here here. Also if you

want the IDA database without duplicating my work load the IDC file in your copy of IDA.

If you want to see the checks during a flash operation search the cmd_flash label.

1

Share this post


Link to post
Share on other sites

Posted · Report post

I have just added the checksum and now you can both create and extract merged firmware binaries (link above).

1

Share this post


Link to post
Share on other sites

Posted · Report post

OK that means that you can create update.zip files on your own and put whatever rom you want inside (given the rom has been compiled for the device of course)? You can flash it from stock recovery?

0

Share this post


Link to post
Share on other sites

Posted · Report post

You can create, mod and extract .bin find. That's a great tool, well done ;)

0

Share this post


Link to post
Share on other sites

Posted · Report post

Cool indeed!

Thanks for your effort :-)

0

Share this post


Link to post
Share on other sites

Posted · Report post

Practically it's possible to make a cyanogenmod ( for example) without unlock the bootloader?

0

Share this post


Link to post
Share on other sites

Posted · Report post

What I have done to upgrade my S500 Firmware but keeping CWM :

- Flashed my S500 via ADT with BIN_Acer_AV051_S500_RV14RB02_WW_GEN1 (an old JB/Android4.1 Acer Leak)

- With this version and bootloader unlocked, flashing via bootloader is ok

- Flash CWM via fastboot -i 0x0502 flash recovery CWM-6.0.1.5_S500.img

- And now firmware upgrade : you have to flash SD_Acer_AV051_S500_RV04RC09_WW_GEN1 or SD_Acer_S500_AV051.RV00RC00_AV051.RV04RC08_EMEA_FR update.zip via CWM

You might have an assert error on your firmware version, in this case you have to modify the updater-script in the update.zip (remove the first line that make the assert)

- After the update.zip flashed, go to reboot in CWM, CWM should detect that the recovery will be erase and ask you to prevent this ! Choose yes !

You will be upgraded to the latest Firmware by keeping CWM.

You can now flash superuser via CWM if needed.

At this point, flash an IMG via fastboot is blocked because of a security added by Acer in the latest Firmware, but you still have CWM, so you can flash "everything" (ROM, Kernel, etc.) packaged in a .zip ;)

0

Share this post


Link to post
Share on other sites

Posted (edited) · Report post

I am trying to upgrade my S500 to latest JB system.

First I have lost one afternoon because of a bad USB cable. When I was trying to upgrade my phone

with fastboot after the 'sending bin' message nothing was happening. Other fastboot commands which

did not involve massive transfer of data wew working fine. I took me a while to figure out that the culprit

was a chinese 2m long USB cable. After I've changed it with another shorter cable everything was fine.

So others be aware.

My Device CPU type is 8260a-3

  • I've used leaked firmware Acer_AV051_S500_RV14RB02_WW_GEN1 to flash my phone,
  • Then I've unlocked the bootloader: 'fastboot -i 0x0502 oem unlock'
  • Flashed the recovery: 'fastboot -i 0x0502 flash recovery CWM-6.0.1.5_S500.img'
  • and then the patched boot: 'fastboot -i 0x0502 flash boot boot.img'

All went fine.

Now I want to upgrade to the latest JB available: Acer_AV051.S500.RV04RC09.WW.GEN1

Because I don't want to loose the unlocked bootloader I have used this time the

Acer_Download_Tool_3.006 for Windows (as oposed to my Linux prompt). I did this because

I saw a tickbox in the ADT software which says "flash bootloader before image' so I have unchecked

that tick and flashed with RV04RC09. Unfortunately this replaced the bootloader and the CWM recovery

regardless of my not-ticked option.

So what is the correct procedure to do this update and not lose the unlocked bootloader?

Are there any tools to edit the firmware binary files?

What is the content of the xxx_1.bin and xxx_2.bin files which are present in all the firmware releases?

I did exactly the same except the last step. I flashed the most recent Acer_AV051.S500.RV04RC09.WW.GEN1 firmware through the Setup programm of the official firmware update. As a surprise I discovered that after flashing my bootloader was still unlocked! My CWM recovery was overwritten but that can easily be solved. You can download the official FW from the ACER website: http://global-downlo...=en&BC=Acer&SC=

After that I flashed the DMD v1.1 kernel and rooted my phone with the latest Clockworkmod SuperUser app (flash through CWM recovery)

I did not install the CWM recovery to NAND. Instead if I want CWM recovery I boot the Phone in fastboot mode and do a fastboot -i 0x0502 boot CWM-6.0.1.5_S500.img

Edited by bobbes
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

MoDaCo is part of the MoDaCo.network, © Paul O'Brien 2002-2015. MoDaCo uses IntelliTxt technology.