Database Info

BETA Project: A Gold Card for the Prophet

After a lengthy discussion with some developers on this board, I'm going to try and see if it is possible to create a Gold Card for the Prophet.
This is a very low level process, so ONLY try to follow along if you really know what you are doing !!!
So, what are we going to do ? well, create an SD image to be able to un-brick a Prophet (hopefully)
As this SD image will try to circumvent the bootloader security it is called a Gold Card.
We will use itsme typhoonnbfdecode.pl to create this image. (Thx to itsme for his great tool set !)
Creating a "normal" SD Image isn't that hard, to trick comes when you need to fool the bootloader and bypass the security.
Steps:
1. Find out what your docuniqueid is (is not be needed, but nice to have anyway)
2. Find out what your cardid is
3. Change the first two digits of the cardid to 00
4. Find out which -p keys to use (my guess is tornado)
5. Extract IPL/SPL/GSM/OS/SPLASH from a original ROM for the correct model (G3 or G4)
6. Use typhoonnbfdecode.pl to create and SD image (gold card)
7. Test the sucker in my bricked G3
So, let's try to get something working:
I will skip step 1 for now as Its not needed.
2. To get the cardit we need to read a memory dump from another Prophet with the sd card inside
pmemmap -s 0x06000000 -w deviceexe.mem -p 0x10000000-0x12000000
we are dumping the section of memory where device.exe is running (you can check this with pps)
In this memory dump we search for the unicode string 'Memory Card'
This is where I am at the moment, as the above was done on another HTC device I think I need to search for a new mem location where the cardid is stored.
So any people reading this that know another way of getting the sd cardid, let me know.
Example cardids:
# 55 4500 accf6300 55 3832314453 4453 03 'UE...c.U821DSDS.' .. my minisd
# 3f 5100 09531f40 03 424d383231 4e49 18 '[email protected]' .. my kingston
# 3f 3c00 65ba4764 07 3832314453 4d54 02 '?<.e.Gd.821DSMT.' .. my daneelec
# 00 4200 0f588942 41 4238323153 4150 01 .... bjorns sdcard

glad to help you
glad to help you un-brick your phone but need more details on these steps.
I am not a programmer so you'll have to explain more.
I do generally pick up these things quick, but will need to point me in the right direction.

AbuYahya said:
glad to help you un-brick your phone but need more details on these steps.
I am not a programmer so you'll have to explain more.
I do generally pick up these things quick, but will need to point me in the right direction.
Click to expand...
Click to collapse
Don't worry, I will update as I find out more

Hi,
Few months back I tried to make one for my Device but was unsuccessfull as I was not able to get DOC uniqueID and finding SD Card's unique ID is hell of a JOB.
So I Quit at that time but after seeing your post, I am again feeling energetic.
However the only method I know is as under.
Dont remember the exact location but will let you know (Taken somwhere from XDA Forum)
Finding out the docuniqueid
it is in memory at 0x8e01509c:
pmemdump 0x8e01509c 0x10
alternatively you can use this:
pdocread -l
Finding out the cardid (this is more difficult)
first find out the section of device.exe with pps usually it is 0x06000000. then save this section to a file using:
pmemmap -s 0x06000000 -w deviceexe.mem -p 0x10000000-0x12000000then in this memory dump, search for the unicode string 'Memory Card':
findstr "Memory Card" deviceexe.memthen dump the memory starting 0x18 bytes before where memory card was found:
dump deviceexe.mem -o 0x90a2a0 -l 0x90this results in something like this:
0090a2a0: 53 42 44 53 ec 00 00 00 f0 6f b7 03 00 00 00 00 SBDS.....o......
0090a2b0: 68 ea 8f 00 00 00 00 00 4d 00 65 00 6d 00 6f 00 h.......M.e.m.o.
0090a2c0: 72 00 79 00 20 00 43 00 61 00 72 00 64 00 00 00 r.y. .C.a.r.d...
0090a2d0: 63 00 65 00 30 00 00 00 00 00 00 00 00 00 00 00 c.e.0...........
0090a2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090a2f0: 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ................
0090a300: 30 b1 90 00 68 bf 90 00 70 12 b5 03 5c a9 00 80 0...h...p...\...
0090a310: ff 00 00 00 00 55 45 00 ac cf 63 00 55 38 32 31 .....UE...c.U821
0090a320: 44 53 44 53 03 ab 40 40 92 ff 4f fa fe c0 83 59 [email protected]@..O....Ynote: that the SBDS signature needs to be there.
the 16 bytes starting at 0x90a315, 55 45 00 ac ... etc are the cardid.

DoCtOr_X said:
Hi,
Few months back I tried to make one for my Device but was unsuccessfull as I was not able to get DOC uniqueID and finding SD Card's unique ID is hell of a JOB.
So I Quit at that time but after seeing your post, I am again feeling energetic.
However the only method I know is as under.
Dont remember the exact location but will let you know (Taken somwhere from XDA Forum)
Finding out the docuniqueid
it is in memory at 0x8e01509c:
pmemdump 0x8e01509c 0x10
alternatively you can use this:
pdocread -l
Click to expand...
Click to collapse
If you look at my post above you can see I'm doing the same
however, pdocread on a bricked phone obviously doesnt work, however the docuniqueid MIGHT not be needed.
for cardid is trickier, as the cardid seems to be hidden on a different memory location then normal (read, older devices)
I'm trying serveral things to get to this

I just bought a new cardreader, so I can continue testing this

Hi,
Wish u best of luck but unfortunately I have no success.

Any Success ????

working on something that might get us a working gold card
stay tuned

Ok, it's possible to create a gold card, meaning, that I can create an SD that will lower the sec level to 0
This is nice, however doesn't help (yet) with the G3/G4 wrong SPL problem.
But it is one step closer as it is now confirmed that you lower the sec level using this method.
Next step will be to see if I can "update" an existing G3 SD Image with the cardid of my card and get it to boot.
I know it might not make sence what I'm saying now, but it's just an update on the progress made so far, and yes I will update the first post with a how to.
more later.

Nice, keep up the good work!

Well Done, I am really amazed.
Thanks & please keep it up.

So am I understanding that right you need another htc which is working to get the cardid? Is it possible to get all that done just with a regular cardreader plugged into the computer?...

cr0ssy said:
So am I understanding that right you need another htc which is working to get the cardid? Is it possible to get all that done just with a regular cardreader plugged into the computer?...
Click to expand...
Click to collapse
It MIGHT be, but I haven't tried that yet

Huh they are very similar
Hi Jesterz so far I have the same problem as you are with my dev g3
with spl from g4
So did you get your device to boot or what ideas do you have
Maybe this will help us Customize_rom_PDAMobiz_Editon_Upgrade_Rom_for_IPLSPL_2.15.0001_v.1.02

Help
Dear Jesterz, could You please help me.I used your RUU-Prophet-g4-AKU2.2-2.20-2.47.21-Jester-r1 to flash my G3 so i did not read carefully your post. It passed but device stills in bootloader mode. Is it possible to solve my problem and how.I have not other prophet to make goldcard. Tnanks in advance

mjankovic said:
Dear Jesterz, could You please help me.I used your RUU-Prophet-g4-AKU2.2-2.20-2.47.21-Jester-r1 to flash my G3 so i did not read carefully your post. It passed but device stills in bootloader mode. Is it possible to solve my problem and how.I have not other prophet to make goldcard. Tnanks in advance
Click to expand...
Click to collapse
Now u must also wait for GoldCrad project....

Yes thank you very much doctor_x so would you please let me know where it is finish and where i can find it

Hi,
If I'm not missing anything, there are actually two types of ID's for SD cards:
1. "Hardware ID", that is truly low-level and is provided by the card manufacturer.
You can use Pocket Mechanic to read it, but I have no idea how you can manage to change it. Please let me know if you have a solution on this one.
2. Let's call it "software id" - an id that you get after your card is formatted (something like a partition id) - you can use a card-reader and some software like Acronis Partition Expert to read and change it.

mjankovic said:
Yes thank you very much doctor_x so would you please let me know where it is finish and where i can find it
Click to expand...
Click to collapse
The main person involved in this project is "Jesterz". I was about to gaveup when jesters started new effort and infused new spirit in the project.
Now lets hope it works but uptill now no breakthrough.

Will this method work to bypass devauth ?

I read somewhere that I dont have to SUPER CID to install a 3rd party ROM, or perhaps our WM6 ROM
"Here is how I got the rom to install without the devauth error.
1) use a hex editor on the rom file and search for the devauth.exe string e.g. 44 00 65 00 76 00 41 00
2) between the "devauth" and the "exe" you will see the hex "00 2e".
3) swap these bytes around so they are "2e 00" instead of "00 2e".
4) This will keep te same checksum but will not allow the devauth.exe to run. well it work in my case at least"
Hope it works
Click to expand...
Click to collapse
Will the above method works? because my phone is still under warranty, and i dont want to void it so early

Solving Blackberry connect for Prophet

Hi,
I've been trying to connect my Imate jamin with blackberry connet (BES) in vain... I've read that it works... but even the best explanation leaves me stunned (me a Nube) could some one help me solve the mystery??? the write-up from the forum is also attached (green fonts) below... This seemed to have worked for universal...
OK folks, I've got it done. BBC is finally working in WM6 on my Universal...
I was able to prove my theory about the pseudo random os version string. If you have the right string, BBC will work with every ROM.
Here are the steps you need to do in order to get it working (shown on the example of WM6 (J.Wright's last ROM 2.01.08 and BBC 2.1.2.31):
1. Use the famous HTC64 Extended ROM Tool to decode the .nbf from the above ROM
2. Open the resulting .fat (or .nba) file with your favorite HEX-Editor
3. Search the follwing hex value (there will be two locations for this, you have to edit both of them)
4F 3F A0 E3 02 30 83 E3 45 2F A0 E3 05 10 A0 E3 02
4. Change it to:
C3 30 A0 E3 02 30 83 E3 45 2F A0 E3 05 10 A0 E3 01
5. Save the changes to your .fat (or .nba) file
6. Use the famous HTC64 Extended ROM Tool again to encode the file back to a .nbf file (ignore the warning about to big .fat file)
7. Flash the .nbf to your device
8. After flashing use a registry editor and go to the following key:
HKLM\System\Versions and edit the Aku string from .0.0.0 to .2.0.0
9. Reboot and install the blackberry connect client
10. From here on do the same steps that nessecary on a normal BBC install
11. You're done..it should work now
The above hex-magic patches the coredll.dll from OS Version 5.2.318 to 5.1.195. In combination with BBC Version 2.1.2.31 this will result in a pseudo random os version string that is allowed to connect to the blackberry network.
Have fun!
Cheers
Pls help... my work demands That I go back to BlackBRICK!!! I guess I am a PPC fan

Pls help!!!
Can someone pls help...

Building NBH files from RAW files for a Kaiser

Well. I've spent 1 week. Yes, one week. I haven't been productive at all becacuse I've dedicated more than 16 hours per day to find one stupid answer to this question:
Once you dump the rom of your kaiser into the Part00.raw, Part01.raw, Part02.raw and Part03.raw, how can you create an NBH file?
Listen everybody: I've been looking for this site AND OTHERS, and the only gaseous, not so clear at all, lame answers are: "Oh, oh. You need to use Tadzio´s tools".
And that's it. How the f.... do you think that an answer like that is going to work?
Step by Step instructions, people !!!!!
That's what we need to build knowledgebase.
Most people are lazy and want fast answers with out reasearching. That's why they brick their phones. Others, like me, do our their homework but since there isn't anywhere else to ask, so, I have no choice to create a new thread since there isn't NO G.. D..N answer in the forum or in the site !!!!
I have my eyes squared and peeled of looking google's, live search and yahoo results.
Please, people, lets recreate the scenario:
You have a kaiser (TyTN II or what ever you want to call it) phone and you decide that, before bricking, or, even in case of bricking it, you want to copy your original ROM and have a copy of it and also BUILD, for chrisake, a flashable ROM to make the restore procedure easy and dandy.
You download itstools and execute pdocread.exe -l to get the RAW files.
Once you get your 4 RAW files, THEN WHAT????
All what I could find is that you can use some tools from Tadzio called imgfstools but, again, and so nice from you, NO INSTRUCTIONS AT ALL !!!!
So. Any kind soul to give a DETAILED, step-by-step walk through for a Kaiser?
Thanks, community.

http://forum.xda-developers.com/showthread.php?p=1968557

"How to Reconstruct a Dumped ROM & Reconstructed ROMs" by jcespi2005
goye said:
. . . Once you dump the rom of your kaiser into the Part00.raw, Part01.raw, Part02.raw and Part03.raw, how can you create an NBH file?
. . . So. Any kind soul to give a DETAILED, step-by-step walk through for a Kaiser?
Thanks, community.
Click to expand...
Click to collapse
I think this is the thread you want, "How to Reconstruct a Dumped ROM & Reconstructed ROMs" by jcespi2005

Thanks, but no thanks ....
Thanks community for your fast reply.
Well, actually that article "How to Reconstruct a Dumped ROM & Reconstructed ROMs" (http://forum.xda-developers.com/showthread.php?t=337066) from jcespi2005 sucks.
He doesn't give any details of how to do it.
I did learn a lot from doctaJay's videos (http://forum.xda-developers.com/showthread.php?t=372469) on his series "Cooking Guides for the Ultimate Noobs- Screencasts".
Now that's helping the community.
But, no. I need to build FROM SCRATCH my own NBH files using my Part0x.raw files. I don't need to use any one's RUU_Signed.nbh file to cook mine. I need to create FROM SCRATCH the NBH file only from my RAW files, with out using any other NBH file!
I mean ----
0. You tweak your registry IN YOUR PDA, not the computer, to change a Security Policy key:
HKLM\Security\Policies\Policies
valuename '00001001' was set to dword:2, change it to dword:1
YOU NEED TO USE A Registry Tweaker like RegeditSTG. Google it just as I did.
Once you've done all this, then
1. you pdocread.exe -l your ORIGINAL ROM from your kaiser.
So you get an output like this:
210.38M (0xd260000) FLASHDR
| 3.12M (0x31f000) Part00
| 3.63M (0x3a0000) Part01
| 68.50M (0x4480000) Part02
| 135.13M (0x8720000) Part03
STRG handles:
handle a7486c82135.13M (0x8720000)
handle a749618e 68.50M (0x4480000)
handle 074aff52 3.63M (0x3a0000)
handle 074aff76 3.12M (0x31f000)
disk a7486c82
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk a749618e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 074aff52
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 074aff76
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Cute!
2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !
3. Open and HardSPL your phone BEFORE doing ANY FLASHING TASKS or you would really end up with a nice paper holder on your desk.
4. You should find a way to back up your RADIO ROM.
That's something completely differerent from the OS ROM. Many people complains that once they use some guy's ROM kit, their phones stop working in their networks.
Me, I live in Japan. I can't just download what ever ROM kit and flash my Kaiser, since in Japan my phone provider, E-Mobile, uses a weird 1700 Mhz W-CDMA frecuency, and most of the ROM kits are flashed for GSM networks and different 800Mhz - 1900 Mhz and 2100 Mhz GSM/GPRS networks.
Many stupidly think that flashing a phone's OS is a matter of downloading a g.. d...ed ROM and "bingo", you got your phone done. Actually, because following this guy jcespi2005's ROM (I can't blame him. You can't blame no one for flashing and messing your own ROM, I want to make that CLEAR), my phone doesn't work.
So .... You have to be careful and teach others to be careful, but the best way is to do a comprehensive, all in one step-by-step guide that will clearify most of the doubts of people.
5. Cook your own ROM's
I think, personally, that following these steps will prevent most people of bugging their phones and, at least, in the worse scenario, be able to some how restore most of the original condition of the kaiser so we can claim service or guarantee.
---------------------------------------
We have our RAW files from scratch, dumped BEFORE DOING anything that potentialy might brick our kaiser.
Now, before cooking and all that (again, thanks doctaJay for your screencasts, you da man !), I need to know:
HOW CAN I BUILD AN IMAGE FILE FROM TOTALLY SCRATCH JUST USING MY OWN RAW FILES !!!
It is said that we can use imgfstools from tadzios, but, as usual, not even a g.. d..med clue here !
Instructions !!
I can commit to post a nice, very in depth screencast for all of the people, but, please, I need to create from scratch, with out using ANYONE's dumped image NBH or ROM, a ROM file.
It's as simple as this: How did the FIRST PERSON IN this community manage to create FROM SCRATCH a NBH from his/her RAW files? And let it be told: FOR A KAISER, for chrisake ! Don't compare apples with oranges, even if they tend to behave alike.
See? That's the nature of the question. I'm not interested in COOKING A ROM, using as a base someone else's ROM.
That's the question, community.
Believe me, once I have all these steps mastered, I will make videocasts (screen casts) in both English and Spanish (Maybe Japanese as well).
So, help me out to help others and in tha way we can help new users in a better way !
Thanks !

i don't know how much reading you did in either post from the other guys but the threads they posted give you a STEP-BY-STEP walkthrough, if you can't read the walkthrough then you're a f*****g idiot and you shouldn't be trying any of the $h1t you are trying to do. READ i read through both of those threads posted and now i can dump a rom and cook one for the hell of it, mine only go to me but whatever. your steps only say "2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !" well that's not an answer. don't creat a thread just to ***** about how you want an answer, write your own damn program and DIYFS if you want to do everything from scratch.
personally i thank each and every member who has contributed anything, because without the guys here i would still have a stock att rom(minus bloat). thank you chefs and all others that have allowed my phone to be as great as it can be

STEP 1: Extract the RAW (IMGFS) file to a dump directory
imgfstodump part02.raw

fgs......how much more info do you need.
from the rom reconstruction thread.
jcespi2005 said:
2. Download the WWE BaseROM to use in the reconstruction process here http://rapidshare.com/files/5781641...dio_sign_22.45.88.07_1.27.12.11_Ship.rar.html
3. Download the modified version by Alex of Kaiser Kitchen here, that allows to reconstruct the ROM from the dump. Follow the guide included in the Readme using WWE from previous step and to will get you reconstructed ROM from your device.
Click to expand...
Click to collapse
sure i admit, that's not that much info, which is why i gave u the link to doctajay's screencasts, watch all his videos, everything you need is there. what more do you want?

I forgot to mention: My network is not GSM or similiar and I can't smoke my Radio
tubaking182 said:
i don't know how much reading you did in either post from the other guys but the threads they posted give you a STEP-BY-STEP walkthrough, if you can't read the walkthrough then you're a f*****g idiot and you shouldn't be trying any of the $h1t you are trying to do. READ i read through both of those threads posted and now i can dump a rom and cook one for the hell of it, mine only go to me but whatever. your steps only say "2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !" well that's not an answer. don't creat a thread just to ***** about how you want an answer, write your own damn program and DIYFS if you want to do everything from scratch.
personally i thank each and every member who has contributed anything, because without the guys here i would still have a stock att rom(minus bloat). thank you chefs and all others that have allowed my phone to be as great as it can be
Click to expand...
Click to collapse
Also, I already mentioned this (who's not reading?):
goye said:
4. You should find a way to back up your RADIO ROM.
That's something completely differerent from the OS ROM. Many people complains that once they use some guy's ROM kit, their phones stop working in their networks.
Me, I live in Japan. I can't just download what ever ROM kit and flash my Kaiser, since in Japan my phone provider, E-Mobile, uses a weird 1700 Mhz W-CDMA frecuency, and most of the ROM kits are flashed for GSM networks and different 800Mhz - 1900 Mhz and 2100 Mhz GSM/GPRS networks.
Click to expand...
Click to collapse
That's why I need to create my own ROM from SCRATCH, not taking other ROMs as a base.

[GUIDE] [MTK] [ARM only] How to reverse LCM driver

Hey, this is my guide for reversing MTK lcm driver from stock compiled kernel (32 bit mode) disassembling it. I hope this helps lot of people.
NOTE: This should work with lots of LCMS
1* What do you need?
- common sense and patience
-lcm_drv.h (from the same Alps kernel that your device haves, EXAMPLE: 3.18.19 is alps-mp-m0.mp1)
-You kernel, extracted from your boot.img
-Your kallsyms.txt (see the line on how to get this file)
-7zip
-Notepad ++
-IDA Pro (6.8 or higher)
Optional:
-Ubuntu on Windows 10 (App in Microsoft Store), or Linux in dual boot
-A lcm driver template (to see the structure and to rewrite it with your values)
2* Basic Tutorials
-How to get kallsyms.txt: You need root permission!
#Download a terminal emulator in your phone, grant root permission to the app and paste one by one these commands:
Bash:
su
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms > /sdcard/kallsyms.txt
Then you will have your kallsyms.txt in /sdcard path
-How to get lcm_drv.h
NOTE: lcm-drv.h is located in drivers/misc/mediatek/lcm/inc/lcm_drv.h
Here some links of alps kernel sources: (MT6580)
-3.18.19 (alps-mp-m0.mp1): Marshmallow lcm_drv.h
-3.18.35 (alps-mp-n0.mp2): Nougat lcm_drv.h
-3.18.79 (alps-mp-o1.mp2): Oreo lcm_drv.h
3* Steps
-At first you need to go to your kernel, and do right click and select “7zip” and then “extract here”, you will have your kernel and another file called “kernel~”, load the other file that 7zip extracted in IDA selecting ARM Little endian as processor type and writing the correct ROM start address and loading address, the value you need to write in both is 0xC0008000
-When you successfully loaded kernel in IDA and the auto analysis finished, then you need to load kallsyms.txt, so it will do the things really clear to see. For load kallsyms you need a IDA script called “kallsyms_loader.idc”
#Download of the script:
kallsyms_loader
Load the kallsyms.txt with the script and wait to the script finishing import all the elements.
-When it finishes you need to do a search of strings and search “lcm_init” (if your device has more than one lcm, IDA will write numbers behind the lcm_init, EXAMPLE: lcm_init, lcm_init_1, lcm_init_1_2; so, you need to know the name of your main lcm and follow the references to your lcm functions and you will know the exact lcm_init function that your main lcm uses)
-Now you need to decompile your lcm functions to get SET_RESET_PIN and MDELAY values, to do that go to the function and press F5, the output will be like this: (SEE PICTURE)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
NOTE:
- SET_RESET_PIN values are only 0 or 1
The 1 and 0 values are alternating. This means that it should start with 1, the next will be 0, the next 1...
- MDELAY can be any value.
All the vC1023EC0 are SET_RESET_PIN values, and all the vC1023ED0 are MDELAY values. In your case these vBlablabla value may vary. You need to take in count this.
There are also some values like “push_table_constrop…”, that are needed for the driver, because they set when the lcm tables are “used”, so you need to write this in all of these cases:
-If is a lcm_init function you need to write on your driver:
push_table(lcm_initialization_setting, sizeof(lcm_initialization_setting) / sizeof(struct LCM_setting_table), 1);
Click to expand...
Click to collapse
-If is a lcm_suspend function then write:
push_table(lcm_deep_sleep_mode_in_setting, sizeof(lcm_deep_sleep_mode_in_setting) / sizeof(struct LCM_setting_table), 1);
Click to expand...
Click to collapse
-If is a lcm_resume function then write:
push_table(lcm_sleep_out_setting, sizeof(lcm_sleep_out_setting) / sizeof(struct LCM_setting_table), 1);
Click to expand...
Click to collapse
Now when you finished to decompile all the other lcm functions and you wrote it in your driver, you need to write your lcm_compare_id, this step is very easy, because you only need to write in your driver “return 1”. Here how do you need to write it:
C:
static unsigned int lcm_compare_id(void)
{
return 1;
}
-Now you only need to reverse a harder lcm function, the lcm_params, for this step you need your corresponding lcm_drv.h. First go to IDA options, and go to “Compiler…”. Set as compiler “GNU C++”. Go to your lcm_params function and press F5 to decompile it. The output Will be like this: (SEE PICTURE)
You need to do right click on “int”: (SEE PICTURE)
And then click on “Set lvar type”, delete “int a1” text and write “LCM_PARAMS*”, the output Will be like this: (SEE PICTURE)
Now you need to right click on “a1”, in the same line as the step before, but now you need to click on “Set lvar name” instead of “Set lvar type”, now delete “a1” text and enter “params”,
now you will have: (SEE PICTURE)
You need to copy in your driver from “params->dsi.LANE_NUM = 3;” to “params>dsi.horizontal_blanking_pixel = 60;” both included.
You are done with the lcm_params function
-Now you only need to reverse the lcm tables.
THERE ARE TWO METHODS:
FIRST (SOMETIMES IT DOESN’T WORK BECAUSE ALL TABLES ARE NOT COMPATIBLE):
You need a tool called LK.BIN parser, avaible at: LK.BIN-Parser
So, in your Linux environment open a terminal window and do: git clone https://github.com/Ruben1863/lk.git
Now go to IDA on Windows (because of this I recommend Ubuntu on Windows 10, so you can switch very easy), and go to your lcm functions you want to reverse it table (for the example i will use lcm_init function) and press double click on the references that your lcm_init function haves at his end: (SEE THE PICTURE)
Double click on the value or the reference (in some cases is defined by a reference) and you will switch to: (SEE PICTURE)
Now don’t move the position of the mouse, because we need to stay in “ROM:C0D202B8”, because in the Hex view of IDA you will see your lcm initializing address of the table you are reversing. So switch to “Hex View-1”
Here you can see lots of 00 and other values, but you need to copy only the ROM blue marked values (FF 00 00 00 03 98 81 07), from “FF” to “07”, the other zeros not, because as you can see there are tons of zeros behind. Remember to copy this initializing address because you need it.
Now switch to your Ubuntu and open in the file explorer the LK.bin parser folder, which is “lk”, now do right click no the file called “parser.js”, and click on “edit with Notepad ++”. When the file opened, you will see the structure of the script. You need to go to headers, and copy the first header, and paste it in the second position, like this: (SEE PICTURE)
Now you need to replace the name of the header you copied with your lcm “first name”, i mean, if your lcm is “hct_ili9881_dsi_vdo_hd_cpt” you only need to copy “ili_9881”, and in the code you need to copy the values that you copied (FF 00 00 00 03 98 81 07), and replace the header values with yours: (SEE PICTURE)
Now save the file, and copy the kernel you extracted with 7zip to the LK.bin parser folder, and rename it to lk.bin. Then open the Ubuntu. Now you need to change the script permissions, so do “chmod -R 777 lk” and then do “cd lk” and “bash installnode.sh”, wait for the file finishing installing all the things, and then type “nodejs parser.js”, it will start to search for headers. When it finishes you will see your lcm possible tables, it can be more than 1 table, but in this case, there is only one possible table: (SEE PICTURE)
So, open the table with Notepad ++, and now you need to write “REGFLAG_DELAY” values in table, these values are in the end of the file: (SEE PICTURE)
The REGFLAG_DELAY values are easy to see, because one of these lines have only 0x00 written, these values are the 0xfe, delete all the 0x00 in 0xfe, 20…, the output needs to be like this: (SEE PICTURE)
Now replace both “0xfe” to “REGFLAG_DELAY”, the output needs to be like this: (SEE PICTURE)
Now you only need to copy all the table and paste it in the place of the lcm_table
Now you need to do these steps to reverse all the other lcm tables (like sleep_out and sleep_in), but only if your lcm haves and uses that tables.
METHOD 2 (COMPATIBLE WITH ALL TABLES, BUT MORE TIME NEEDED):
In IDA press double click on the references that your lcm_init function haves at his end: (SEE PICTURE)
Double click on the value or the reference (in some cases is defined by a reference) and you will switch to: (SEE PICTURE)
Now don’t move the position of the mouse, because we need to stay in the same ROM address “ROM:C0D202B8”, because in the Hex view of IDA you will see your lcm initializing address of the table you are reversing. So, switch to “Hex View-1”
Here is where you need a lot of common sense and patience. You have these values (FF 00 00 00 03 98 81 07). Here you need to transcribe every line that are not 00s.
Example:
FF 00 00 00 03 98 81 07 will be transcribed to => {0xFF, 3, {0x98, 0x81, 0x07}}
Click to expand...
Click to collapse
You need to skip transcribing all these three 00s
NOTE: in some LCMs the three 00s won’t be, that is normal.
Example:
FF 03 98 81 07 will be transcribed to => {0xFF, 3, {0x98, 0x81, 0x07}}
Click to expand...
Click to collapse
You need to do this with EVERY LINE of data.
Example of the next lines:
03 00 00 00 01 20 => {0x03, 1, {0x20}}
Click to expand...
Click to collapse
04 00 00 00 01 06 => {0x04, 1, {0x06}}
Click to expand...
Click to collapse
NOTE: the second value (in this case, the fifth, because we are skipping the three 00s) must be transcribed from Hexadecimal to Decimal.
When you arrive to the end of the table you will see it really clear. So, you need to write at the end of the table:
{REGFLAG_END_OF_TABLE, 0x00, {}}
Click to expand...
Click to collapse
NOW YOU ARE DONE, YOU REVERSED YOUR LCM DRIVER
4* Help needed?
If you can’t get your lcm working properly, or if you got stuck at some point of the guide you can contact me:
Telegram: Ruben1863
Discord: rub3n1863#5484