Hi,
Maybe some of you allready knows those stuff. But I never seen any real subjet/tutorial about it. So, here it is
Be warned this is rather intended for advanced users. Later, I'll maybe update my different tools to use this feature/option in a more accessible/automated way.
Of course, all credit goes to Judges who made this possible with NORway.
For a long time it stuck in my head. Namely, only flash the "Per Firmware" area of a NOR flash instead of the entire NOR each time. A little bit as the "differential flashing" on NANDs.
This is more safe since it does not touch to the very important "Per Console" data. So, if any corruptions have been introduced to your dump file during read process (some corruptions can be undetectable by checkers), it will not be reproduced to your NOR flash memory.
I will not develop furthermore, I think everyone understands the value of the thing.
And I knew the script "Norway" by Judges has functionalities to write, erase, verify defined blocks, but I never really considered the question till now...
In any case, this trick does not exempt you to do everything to get a valid full dump before to attempt to modify your flash memory. It is and it will always remain the golden rule. Consider it only as an additional precaution.
First, what are NORway capabilities exactly?
Looking at the NORway help screen:
So, basically we learn we can ask to NORway to write from a given address in the NOR (or erase, or verify). The default adress is 0x0 (which is the beginning of the NOR. It sounds logic). It is also indicated that the addresses must be a multiple of 0x20000 (131072 Bytes, 131072/1024 = 128 KB. This represents the size of a block. I would go back further.)
However important questions remain unanswered:
- It start to write from a given adress, Ok. But, when it stops? (as exemple, we have the booldr to the end of NOR and we don't want to overwrite it)
- What kind of file must we use as template for writing? The full dump? A piece of dump?
To answer, I dived into the NORway code. I'll not make the demonstration here (but you can have a look here).
Finally, full rules are:
- NORway write block by block of 128KB (0x20000) (there are available variants for Samsung K8Q2815UQB but I will not go into these useless details).
- NORway can begin writing from a given block address (a multiple of 128KB, so a multiple of 0x20000).
- NORway write the entire template file content (dump) starting from the given block address, and will stop only when he has written all data contained in that file (or until it arrives at the end of the NOR ..?).
- If the size of the template file content (dump) is not a multiple of the size of a block (128KB, 0x20000), it will truncate the last data (it will not write them).
Based on those rules, we can say it is not a complete dump file that is required for our perfirmware partial write, but a piece of dump (or patchs assembly) gathering perfirware data we want to write. And no more. The size of this file must be an exact multiple of 0x20000 (128KB).
Then, looking at Per Firware data:
Based on our Holy Scriptures (wiki), Per Firmware data are "trvk"s and "ROS"s. Basically, the data we modify (patch) for jailbreaking.
With:
First good news, all data are contiguous. So we can write them in "one shot" using a single file.
Second good news, data begin at an address that is a multiple of 0x20000 (0x40000).
Third good news, whole data is a multiple of 0x20000:
0x20000 x 4 + 0x700000 x 2 = 0xE80000 (total size of perfirmware data)
0xE80000 / 0x20000 = 116 (116 full blocks)
All the conditions are there
Note it also work if you just want ROSs with a total size of 0xE00000 (0x20000 x 112) starting at address 0xC0000 (0x20000 x 6).
So, theory is done. Let's go to practice.
Create PerFirmware template file :
We could create one from scratch using existing patches but that would be a bit painful and may miss some additional data (ROS headers).
So, the simplest is to start on a clean patched dump file.
Basically, as you certainly understood, it is simply to copy the whole data starting from offset 0x40000, length 0xE80000. Then paste and save to a new file.
We now have our perconsole template for the write. A file with a size of 15204352 bytes exactly (0xE80000). Either 14848 KB or 14,5 MB.
(Note that perfirmware data is 90% of the complete dump. It will not save much flash time).
Those data can be flashed on any console obviously. And there is no need to redo a template for each console till you want to change patchs versions.
For you, perfirmware templates I made (if you want to try them or compare):
- perfirmware template patched 4.75 no-fsm : https://www.dropbox.com/s/ojih79x3jc97qnl/perfw475_patched.zip?dl=1
- perfirmware template patched 3.55 FSM : https://www.dropbox.com/s/dn3qyw42b89ao4r/perfw355_patched.zip?dl=1
Write PerFirmware data to NOR :
So far, nothing complicated. This is a classic write but using the perfirmware data template file and the start address where they must be written. 0x40000 in this case (not to forget the "0x" in front and do not forget some "0" otherwise it will not be written where it should...):
Command example :
Once done, you can dump again and compare with your original patched dump. They should be exactly the same.
Finally a quick demonstration video (in french... sorry).
[video=youtube;7pmvQRJxgx4]https://www.youtube.com/watch?v=7pmvQRJxgx4[/video]
Enjoy your flash
Maybe some of you allready knows those stuff. But I never seen any real subjet/tutorial about it. So, here it is
Be warned this is rather intended for advanced users. Later, I'll maybe update my different tools to use this feature/option in a more accessible/automated way.
Of course, all credit goes to Judges who made this possible with NORway.
For a long time it stuck in my head. Namely, only flash the "Per Firmware" area of a NOR flash instead of the entire NOR each time. A little bit as the "differential flashing" on NANDs.
This is more safe since it does not touch to the very important "Per Console" data. So, if any corruptions have been introduced to your dump file during read process (some corruptions can be undetectable by checkers), it will not be reproduced to your NOR flash memory.
I will not develop furthermore, I think everyone understands the value of the thing.
And I knew the script "Norway" by Judges has functionalities to write, erase, verify defined blocks, but I never really considered the question till now...
In any case, this trick does not exempt you to do everything to get a valid full dump before to attempt to modify your flash memory. It is and it will always remain the golden rule. Consider it only as an additional precaution.
First, what are NORway capabilities exactly?
Looking at the NORway help screen:
So, basically we learn we can ask to NORway to write from a given address in the NOR (or erase, or verify). The default adress is 0x0 (which is the beginning of the NOR. It sounds logic). It is also indicated that the addresses must be a multiple of 0x20000 (131072 Bytes, 131072/1024 = 128 KB. This represents the size of a block. I would go back further.)
However important questions remain unanswered:
- It start to write from a given adress, Ok. But, when it stops? (as exemple, we have the booldr to the end of NOR and we don't want to overwrite it)
- What kind of file must we use as template for writing? The full dump? A piece of dump?
To answer, I dived into the NORway code. I'll not make the demonstration here (but you can have a look here).
Finally, full rules are:
- NORway write block by block of 128KB (0x20000) (there are available variants for Samsung K8Q2815UQB but I will not go into these useless details).
- NORway can begin writing from a given block address (a multiple of 128KB, so a multiple of 0x20000).
- NORway write the entire template file content (dump) starting from the given block address, and will stop only when he has written all data contained in that file (or until it arrives at the end of the NOR ..?).
- If the size of the template file content (dump) is not a multiple of the size of a block (128KB, 0x20000), it will truncate the last data (it will not write them).
Based on those rules, we can say it is not a complete dump file that is required for our perfirmware partial write, but a piece of dump (or patchs assembly) gathering perfirware data we want to write. And no more. The size of this file must be an exact multiple of 0x20000 (128KB).
Then, looking at Per Firware data:
Based on our Holy Scriptures (wiki), Per Firmware data are "trvk"s and "ROS"s. Basically, the data we modify (patch) for jailbreaking.
With:
Code:
Name Start Offset End Offset Size (h)
trvk_prg0 0x040000 0x05FFFF 0x20000
trvk_prg1 0x060000 0x07FFFF 0x20000
trvk_pkg0 0x080000 0x09FFFF 0x20000
trvk_pkg1 0x0A0000 0x0BFFFF 0x20000
ros0 0x0C0000 0x7BFFFF 0x700000
ros1 0x7C0000 0xEBFFFF 0x700000First good news, all data are contiguous. So we can write them in "one shot" using a single file.
Second good news, data begin at an address that is a multiple of 0x20000 (0x40000).
Third good news, whole data is a multiple of 0x20000:
0x20000 x 4 + 0x700000 x 2 = 0xE80000 (total size of perfirmware data)
0xE80000 / 0x20000 = 116 (116 full blocks)
All the conditions are there
Note it also work if you just want ROSs with a total size of 0xE00000 (0x20000 x 112) starting at address 0xC0000 (0x20000 x 6).
So, theory is done. Let's go to practice.
Create PerFirmware template file :
We could create one from scratch using existing patches but that would be a bit painful and may miss some additional data (ROS headers).
So, the simplest is to start on a clean patched dump file.
Basically, as you certainly understood, it is simply to copy the whole data starting from offset 0x40000, length 0xE80000. Then paste and save to a new file.
- open your clean patched dump with HxD then select and copy the whole perconsole data (offset 0x40000, length 0xE80000) :
- Open a new file, paste copied data then save:
That's all
- Open a new file, paste copied data then save:
That's all
(Note that perfirmware data is 90% of the complete dump. It will not save much flash time).
Those data can be flashed on any console obviously. And there is no need to redo a template for each console till you want to change patchs versions.
For you, perfirmware templates I made (if you want to try them or compare):
- perfirmware template patched 4.75 no-fsm : https://www.dropbox.com/s/ojih79x3jc97qnl/perfw475_patched.zip?dl=1
- perfirmware template patched 3.55 FSM : https://www.dropbox.com/s/dn3qyw42b89ao4r/perfw355_patched.zip?dl=1
Write PerFirmware data to NOR :
So far, nothing complicated. This is a classic write but using the perfirmware data template file and the start address where they must be written. 0x40000 in this case (not to forget the "0x" in front and do not forget some "0" otherwise it will not be written where it should...):
Command example :
Code:
norway.py com6 write perfw475_patched.bin 0x40000Finally a quick demonstration video (in french... sorry).
[video=youtube;7pmvQRJxgx4]https://www.youtube.com/watch?v=7pmvQRJxgx4[/video]
Enjoy your flash
Last edited:
