Guest zelea2 Posted May 24, 2013 Report Share Posted May 24, 2013 I am trying to upgrade my S500 to latest JB system. First I have lost one afternoon because of a bad USB cable. When I was trying to upgrade my phone with fastboot after the 'sending bin' message nothing was happening. Other fastboot commands which did not involve massive transfer of data wew working fine. I took me a while to figure out that the culprit was a chinese 2m long USB cable. After I've changed it with another shorter cable everything was fine. So others be aware. My Device CPU type is 8260a-3I've used leaked firmware Acer_AV051_S500_RV14RB02_WW_GEN1 to flash my phone,Then I've unlocked the bootloader: 'fastboot -i 0x0502 oem unlock'Flashed the recovery: 'fastboot -i 0x0502 flash recovery CWM-6.0.1.5_S500.img'and then the patched boot: 'fastboot -i 0x0502 flash boot boot.img' All went fine. Now I want to upgrade to the latest JB available: Acer_AV051.S500.RV04RC09.WW.GEN1 Because I don't want to loose the unlocked bootloader I have used this time the Acer_Download_Tool_3.006 for Windows (as oposed to my Linux prompt). I did this because I saw a tickbox in the ADT software which says "flash bootloader before image' so I have unchecked that tick and flashed with RV04RC09. Unfortunately this replaced the bootloader and the CWM recovery regardless of my not-ticked option. So what is the correct procedure to do this update and not lose the unlocked bootloader? Are there any tools to edit the firmware binary files? What is the content of the xxx_1.bin and xxx_2.bin files which are present in all the firmware releases? Link to comment Share on other sites More sharing options...
Guest wimmme Posted May 24, 2013 Report Share Posted May 24, 2013 download to your sdcard and use CWM to install: http://cdn.a1.futuredial.com/FAcer_S500_AV043.RV16RC02_AV051.RV04RC09_WW_GEN1_1360286635561_ad324063.zip Link to comment Share on other sites More sharing options...
Guest zelea2 Posted May 26, 2013 Report Share Posted May 26, 2013 I've tried to follow your suggestion. The above link doesn't work but I have found the file here. The install process gives an error and I had to remove the first line of the updater-script: assert(getprop("ro.product.name") == "s500_ww_gen1"); My phone is a WW_GEN1 but I presume the leaked JB version doesn't set the checked property. After the update I've ended up with the same problem; both the bootloader and the revive partition were overwritten. $ grep block updater-script # in SD_Acer_AV051_S500_RV04RC09_WW_GEN1 if mount("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/userdata", "/data") != "/data" package_extract_file("NON-HLOS.bin", "/dev/block/platform/msm_sdcc.1/by-name/modem"); package_extract_file("sbl1.mbn", "/dev/block/platform/msm_sdcc.1/by-name/sbl1"); package_extract_file("sbl2.mbn", "/dev/block/platform/msm_sdcc.1/by-name/sbl2"); package_extract_file("sbl3.mbn", "/dev/block/platform/msm_sdcc.1/by-name/sbl3"); package_extract_file("rpm.mbn", "/dev/block/platform/msm_sdcc.1/by-name/rpm"); package_extract_file("tz.mbn", "/dev/block/platform/msm_sdcc.1/by-name/tz"); format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "0", "/system"); mount("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "/system"); package_extract_file("boot.img", "/dev/block/platform/msm_sdcc.1/by-name/boot"); package_extract_file("emmc_appsboot.mbn", "/dev/block/platform/msm_sdcc.1/by-name/aboot"); $ grep block updater-script # in Cirrus_ROM-1.0.5b format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/userdata", "0", "/data"); format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "0", "/system"); mount("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "/system"); package_extract_file("boot.img", "/dev/block/platform/msm_sdcc.1/by-name/boot"); If one compares the two outputs of the grep command one can see that the first update script instructs the phone to overwrite the bootloader partitions (which I presume are the sbl1 sbl2 sb3) So I think I further need to edit the update script and ommuit some of the extract commands. Can someone answer me the following questions: * is there an utility that splits the xxx_1.bin and xxx_2.bin firmware to its components? (this will be handy if there is no SD card version of the same firmware available) * what is the NON-HLOS.bin file ? * why when I've installed the CWM-6.0.1.5_S500.img in the recovery partition I also had to write a patched boot.img (which I guess is the Linux kernel); what is the patch purpose? * what is the 'aboot' partition? Link to comment Share on other sites More sharing options...
Guest vache Posted May 26, 2013 Report Share Posted May 26, 2013 Hi, I have this kind of tool for my personal use (from decompiled Acer Download Tool), i'll share it later ;) NON-HLOS.bin is the modem firmware. Wich patch are you speaking about ? aboot.mbn is the android bootloader. (more info about Secure Boot 3.0 Boot Loader) Link to comment Share on other sites More sharing options...
Guest zelea2 Posted May 28, 2013 Report Share Posted May 28, 2013 I had a brief look at those merged firmware binaries. What I've noticed so far is that they are indeed just a binary merge of all the component files; there is no file name or file length stored with the files. Instead you have an encrypted header which probably contains all this. The first 16 bytes seem to be an AES key and then you have the length of this encypted header. I've already tried AES encryption/decryption with that key or the swap32 of the key with no success so I think that's just a session key which is either encrypted with a master key from ROM or just obfuscated with some XOR based function. This doesn't give up much, it's just a way of comparing various components of the firmware and eventualy being able to reconstruct it after a change. Each file from the merge is still individually signed. I'll have a look with IDA on ADT too later. Link to comment Share on other sites More sharing options...
Guest vache Posted May 28, 2013 Report Share Posted May 28, 2013 ADT is an .NET/C# app, you can use ILSpy, it will give you source code. You will see how it works to split the bin file. Link to comment Share on other sites More sharing options...
Guest zelea2 Posted May 29, 2013 Report Share Posted May 29, 2013 (edited) IDA can disassemble .NET also you just have to use the Windows version. Here is the the listing of the relevant part - looks like obfuscated BASIC to me. Entry point is the Decryption_Proc function. So at offset 0x10 you have the folowing 4 integers: EncryptedSize, MergeToolVersion, EncryptionType, FileCount The AES decryption uses an 16byte IV (initialization vector) followed by 32 bytes of key (so that's aes256). I'm not positive if this is at offset 0x4f or 0x50 or somewhere else ;-). I am blind. The key is in the 'Processing.dll' code encoded as a string Edited May 29, 2013 by zelea2 Link to comment Share on other sites More sharing options...
Guest vache Posted May 29, 2013 Report Share Posted May 29, 2013 ILSpy can decompile (not disassemble) C# to give you source code, that's better to read/understand than assembler code. You can also rebuild the app if you mod it. Already tried to use the included encrypt methods to rebuild a signed .bin, or a signle file, without success. Link to comment Share on other sites More sharing options...
Guest zelea2 Posted May 29, 2013 Report Share Posted May 29, 2013 (edited) Well I'm a Unix guy and whatever Windows tool I can avoid I'll skip. Next time when I will deal .NET I'll give ILSpy a try. I've put together a quick C which lists and splits the firmware binary sources and programs here. I'll add the file split later. Utility finished. I've made executable versions for both Windows and Linux Why do you try to build back a .bin? You can always make an update.zip file out of the two .bin files and load it with CWM. Have you figured out what the first 16 bytes of a .bin file are? Maybe those are the missing part. Edited June 1, 2013 by zelea2 Link to comment Share on other sites More sharing options...
Guest zelea2 Posted May 30, 2013 Report Share Posted May 30, 2013 I have figured out the first 16 bytes: You take the merged file and replace the first 16 bytes with the "[mgfl_k]:[email protected]" string. You then perform a md5sum over the whole file. The 16 bytes sum is then overwritten at offset 0. If anybody is interested I can add the functionality to create firmware files to my program so let me know if you want it. So now I can also use a bin file with just the parameters and the boot.img file to flash my boot partition as an alternative to the update.zip method. This is possible only because my phone is unlocked. If you want to disassemble to bootloader: chop the first 0x28 bytes from emmc_appsboot.mbn and create emmc_appsboot.bin. The loading address is at offset 0xc in the mbn file (in this case 0x88f00000) I have spent some time looking at this code in IDA. You can browse the listing here here. Also if you want the IDA database without duplicating my work load the IDC file in your copy of IDA. If you want to see the checks during a flash operation search the cmd_flash label. Link to comment Share on other sites More sharing options...
Guest zelea2 Posted June 1, 2013 Report Share Posted June 1, 2013 I have just added the checksum and now you can both create and extract merged firmware binaries (link above). Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2013 Report Share Posted June 1, 2013 OK that means that you can create update.zip files on your own and put whatever rom you want inside (given the rom has been compiled for the device of course)? You can flash it from stock recovery? Link to comment Share on other sites More sharing options...
Guest vache Posted June 1, 2013 Report Share Posted June 1, 2013 You can create, mod and extract .bin find. That's a great tool, well done ;) Link to comment Share on other sites More sharing options...
Guest Posted June 2, 2013 Report Share Posted June 2, 2013 Cool indeed! Thanks for your effort :-) Link to comment Share on other sites More sharing options...
Guest bonzi1994 Posted June 2, 2013 Report Share Posted June 2, 2013 Practically it's possible to make a cyanogenmod ( for example) without unlock the bootloader? Link to comment Share on other sites More sharing options...
Guest Shreps Posted June 6, 2013 Report Share Posted June 6, 2013 What I have done to upgrade my S500 Firmware but keeping CWM : - Flashed my S500 via ADT with BIN_Acer_AV051_S500_RV14RB02_WW_GEN1 (an old JB/Android4.1 Acer Leak) - With this version and bootloader unlocked, flashing via bootloader is ok - Flash CWM via fastboot -i 0x0502 flash recovery CWM-6.0.1.5_S500.img - And now firmware upgrade : you have to flash SD_Acer_AV051_S500_RV04RC09_WW_GEN1 or SD_Acer_S500_AV051.RV00RC00_AV051.RV04RC08_EMEA_FR update.zip via CWM You might have an assert error on your firmware version, in this case you have to modify the updater-script in the update.zip (remove the first line that make the assert) - After the update.zip flashed, go to reboot in CWM, CWM should detect that the recovery will be erase and ask you to prevent this ! Choose yes ! You will be upgraded to the latest Firmware by keeping CWM. You can now flash superuser via CWM if needed. At this point, flash an IMG via fastboot is blocked because of a security added by Acer in the latest Firmware, but you still have CWM, so you can flash "everything" (ROM, Kernel, etc.) packaged in a .zip ;) Link to comment Share on other sites More sharing options...
Guest bobbes Posted June 7, 2013 Report Share Posted June 7, 2013 (edited) I am trying to upgrade my S500 to latest JB system. First I have lost one afternoon because of a bad USB cable. When I was trying to upgrade my phone with fastboot after the 'sending bin' message nothing was happening. Other fastboot commands which did not involve massive transfer of data wew working fine. I took me a while to figure out that the culprit was a chinese 2m long USB cable. After I've changed it with another shorter cable everything was fine. So others be aware. My Device CPU type is 8260a-3I've used leaked firmware Acer_AV051_S500_RV14RB02_WW_GEN1 to flash my phone,Then I've unlocked the bootloader: 'fastboot -i 0x0502 oem unlock'Flashed the recovery: 'fastboot -i 0x0502 flash recovery CWM-6.0.1.5_S500.img'and then the patched boot: 'fastboot -i 0x0502 flash boot boot.img' All went fine. Now I want to upgrade to the latest JB available: Acer_AV051.S500.RV04RC09.WW.GEN1 Because I don't want to loose the unlocked bootloader I have used this time the Acer_Download_Tool_3.006 for Windows (as oposed to my Linux prompt). I did this because I saw a tickbox in the ADT software which says "flash bootloader before image' so I have unchecked that tick and flashed with RV04RC09. Unfortunately this replaced the bootloader and the CWM recovery regardless of my not-ticked option. So what is the correct procedure to do this update and not lose the unlocked bootloader? Are there any tools to edit the firmware binary files? What is the content of the xxx_1.bin and xxx_2.bin files which are present in all the firmware releases? I did exactly the same except the last step. I flashed the most recent Acer_AV051.S500.RV04RC09.WW.GEN1 firmware through the Setup programm of the official firmware update. As a surprise I discovered that after flashing my bootloader was still unlocked! My CWM recovery was overwritten but that can easily be solved. You can download the official FW from the ACER website: http://global-downlo...=en&BC=Acer&SC= After that I flashed the DMD v1.1 kernel and rooted my phone with the latest Clockworkmod SuperUser app (flash through CWM recovery) I did not install the CWM recovery to NAND. Instead if I want CWM recovery I boot the Phone in fastboot mode and do a fastboot -i 0x0502 boot CWM-6.0.1.5_S500.img Edited June 7, 2013 by bobbes Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now