资料收集记录

华为oeminfo的结构:

unlock标志type为5D
将5D改成00 即无标志位

red报警 0x66
root标志type为43
将底下的08改成06
01 00 00 00 改成 00 00 00 00 (old stat)
01 00 00 00 改成 00 00 00 00 (now stat)
23 B7 29 57 改成 00 00 00 00 (chang time)

Android Boot Recovery签名命令:

java -jar $scriptdir/keystore_tools/BootSignature.jar /boot new-boot.img $scriptdir/keystore.pk8 $scriptdir/keystore.x509.pem new-boot.img.signed

 

Ubuntu无错误查找技巧:

在Linux系统中“find”命令是大多数系统用户都可以使用的命令,并不是ROOT系统管理员的专利。但是普通用户使用“find”命令时也有可能遇到这样的问题,那就是Linux系统中系统管理员ROOT可以把某些文件目录设置成禁止访问模式。这样普通用户就没有权限用“find”命令来查询这些目录或者文件。当普通用户使用“find”命令来查询这些文件目录是,往往会出现”Permissiondenied.”(禁止访问)字样。系统将无法查询到你想要的文件。为了避免这样的错误,我们可是使用转移错误提示的方法尝试着查找文件,输入
find / -name access_log 2>/dev/null

 

 kallsyms 全0解决方法:

echo 0 > /proc/sys/kernel/kptr_restrict sysctl

allwinner a13刷机包出现0x163错误的个人解决办法:

简单的来说,allwinner a13的部分rom会对data进行校验,而且就算使用原来的data.fex依然无法刷入。绕过方法是IDA逆向PXTOOLS _xxxxxxxxxxxxxxxx.fex,然后修改其crc校验模块。
然后在image.cfg里面加入:

{filename = INPUT_DIR .. “_input\\diskfs.fex”,   maintype = ITEM_ROOTFSFAT16, subtype = “DISKFS_000000000”,},

{filename = INPUT_DIR .. “_input\\data.fex”,     maintype = ITEM_ROOTFSFAT16, subtype = “DATA_00000000000”,},


并注释掉此前的OEM部分。

最后按照cfg里面提到fex,依次复制到_input目录底下。然后create即可。

错误部分的debug如下:

[680] Img_OpenItem: cannot find item RFSFAT16 VDATA_0000000000        
00000387        133.70664978        [680] PANIC : image_manager_read_item() : input == NULL,wantLen=65536        
00000388        133.70672607        [680] ERR: get_packet_verify_data, image_manager_read_item failed        
00000389        133.70678711        [680] PANIC : image_manager_close_item() : input == NULL        
00000390        133.70683289        [680] ERR: get_packet_verify_data, image_manager_close_item failed        
00000391        133.80035400        [680] INFO: ID = 1, pc_crc = 0x0, fex_crc = 0x0, nand_crc = 0x5f69c09f        
00000392        133.80043030        [680] ERR : check_crc32_form_efex, pc_crc != nand_crc        
00000393        133.80049133        [680] err: download_packet, check_crc32_form_efex failed        
00000394        133.80055237        [680] ERR: step_download_firmware, download_packet failed        
00000395        133.80085754        [680] ERR : ID=1, fes_thread() : step 163 ,fail


使用工具Uberizer。

 

adb shell 命令 获取 Android 手机 IMEI 号 和 手机类型:

adb shell dumpsys iphonesubinfo

 

CACHE写命令让recovery自动刷机:

搞个cache,里面加/cache/recovery/command,然后command加自动刷机的脚本,zip包push到sdcard上,然后adb reboot bootloader,fastboot flash cache cache.img,然后fastboot boot recovery.img。看看是不是会到recovery自动刷

正常的recovery都会在启动时检测是否存在/cache/recovery/command文件,如果存在就执行这个文件里面的命令

command里面写成这样大概就行吧。测试看看

–wipe_cache
–wipe_data
–update_package=SDCARD:update.zip

 

三星修改开机默认语言代码:

在customer.xml里修改,中文为:

<Country>China</Country>
<CountryISO>CN</CountryISO>
<Region>CHN</Region>
<SalesCode>CHU</SalesCode>

英文为:

<Country>USA</Country>
<CountryISO>US</CountryISO>
<Region>NA</Region>
<SalesCode>TMB</SalesCode>

ubuntu连接android手机:

– Log in as root and create this file: /etc/udev/rules.d/51-android.rules.

– Use this format to add each vendor to the file:
SUBSYSTEM==”usb”, ATTR{idVendor}==”0bb4″, MODE=”0666″, GROUP=”plugdev”

– In this example, the vendor ID is for HTC. The MODE assignment specifies read/write permissions, and GROUPdefines which Unix group owns the device node.

– Note: The rule syntax may vary slightly depending on your environment. Consult the udev documentation for your system as needed. For an overview of rule syntax, see this guide to writing udev rules.

– Now execute:
chmod a+r /etc/udev/rules.d/51-android.rules

三星去除刷机统计次数:

The flash counter and triangle state had to be stored somewhere. Everybody knew that. Guesses have been made in the past where it could be, and I have personally compared the raw flash disk contents between different amount of custom flashes in the past, unable to find any differences. You can dump and compare the entire /dev/block/mmcblk0 and you won’t find a difference (you’ll find a few unallocated and unused gaps, though).

The solution comes with the new kernel uses by ICS builds. The flash disk actually has two hidden boot partitions, /dev/block/mmcblk0boot0 and /dev/block/mmcblk0boot1 . The MMC driver in the kernels used for Gingerbread did not present these partitions in the past, the MMC driver in the ICS kernel does.

Teamhacksung members said something about having found the location, so I retried locating the position on ICS. Until recently I had always ran the KH4 Gingerbread build because until the LPB ICS build USB host was not properly supported on ICS, and I need that for other apps I make. It’s really easy to find now on ICS. Dump and compare the partitions and you’ll have found them in no time. I’ve already done it, so here is the information.

Structure /dev/block/mmcblk0boot0 @ 0x00020000:

0x00020000 header magic: 32bit – 0x12340011
0x00020004 flash count: 16bit
0x00020006 future: 16bit – 0x0000
0x00020008 type: 16bit – 0x0000 unknown, 0x0001 custom (triangle), 0x0002 Samsung Official
0x0002000A name: max 16 chars
0x0002001A end: 16bit – 0x0000

The boot partitions are presented as readonly by default, but allowing modification is a simple matter of executing the following before writing the data:

echo 0 > /sys/block/mmcblk0boot0/force_ro

That should give you all the information you need to replicate this. A number of bytes trailing this structure also change between flashes and appear to be checksum related.

As stated above, this isn’t easily doable on Gingerbread. That is also why this currently does not work on the SGNote. When ICS is released for the SGNote it’ll probably be compatible out of the box, or trivial to make it compatible. I say on Gingerbread it is not easily doable, but it is not impossible. If you put a lot of effort into it, you can probably talk to the MMC device directly and modify these partitions, I personally don’t feel it is worth the effort for Gingerbread, as (at the time of this writing) official ICS firmwares should be available for both the SGS2 as well as the SGNote very shortly.

Update 16.02.2012: Users have confirmed TriangleAway works on the I9220 SGNote ICS leak !
Update 13.05.2012: TriangleAway does *not* work on the latest official SGNote ICS firmwares. There will be a fixed version soon, but it has to wait for my Note to return from repairs, else I cannot test it 
Update 04.06.2012: v1.50 should work with the I9220 and N7000 SGNote’s again

#!/sbin/busybox sh
/sbin/busybox mount -t rootfs -o remount,rw rootfs
/sbin/symlink
/sbin/busybox mount -t ext4 /dev/block/mmcblk0p12 /cache
cat /cache/recovery/triangleaway > /triangleaway
chmod 755 /triangleaway
/triangleaway –ui –n7100

boot默认开启USB调试:

修改build.prop

ro.secure=1
ro.debuggable=1
persist.sys.usb.config=adb
persist.service.adb.enable=1

Linux:使用awk命令获取文本的某一行,某一列

1、打印文件的第一列(域)                 : awk ‘{print $1}’ filename
2、打印文件的前两列(域)                 : awk ‘{print $1,$2}’ filename
3、打印完第一列,然后打印第二列  : awk ‘{print $1 $2}’ filename
4、打印文本文件的总行数                : awk ‘END{print NR}’ filename
5、打印文本第一行                          :awk ‘NR==1{print}’ filename
6、打印文本第二行第一列                :sed -n “2, 1p” filename | awk ‘print $1’
pm list packages -f 查看已安装apk的位置和报名

Android 下网络抓包方法 使用tcpdump:

adb shell
chmod 6755 /data/local/tmp/tcpdump
cd /data/local/tmp
./tcpdump -p -vv -s 0 -w /sdcard/capture.pcap

需要有root权限,pcap包可以用wireshark看

区域代号:

CTC:电信机型; CHM:移动机型; CHN:联通机型; TGY:港版机型; BRI/WAN:台版机型; SPR/VZW:美版电信机型

 

修改android默认浏览器:

修改: /data/system/users/0/package-restrictions.xml,以设置QQ浏览器为默认浏览器为例\,权限为660:

</pkg>
<pkg name=”com.android.musicfx”>
<enabled-components>
<item name=”com.android.musicfx.ControlPanelReceiver” />
</enabled-components>
</pkg>
<pkg name=”com.tencent.mtt” enabled=”1″ />
<pkg name=”com.sec.android.preloadinstaller”>
<disabled-components>
<item name=”com.sec.android.preloadinstaller.SN00000000.PreloadInstallerActivity” />
</disabled-components>
</pkg>
<preferred-activities>
<item name=”com.tencent.mtt/.MainActivity” match=”200000″ set=”5″>

#########要设置为百度浏览器默认,修改此句为,其中set=”5″,表示机器现在有5个浏览器:

<item name=”com.baidu.browser.apps/com.baidu.browser.framework.BdBrowserActivity” match=”200000″ set=”5″>

<set name=”com.baidu.browser.apps/com.baidu.browser.framework.BdBrowserActivity” />
<set name=”com.baidu.searchbox_sj/com.baidu.searchbox.BoxBrowserActivity” />
<set name=”com.sec.android.app.sbrowser/.SBrowserMainActivity” />
<set name=”com.main.apps/.browser.BrowserActivity” />
<set name=”com.tencent.mtt/.MainActivity” />
<filter>
<action name=”android.intent.action.VIEW” />
<cat name=”android.intent.category.DEFAULT” />
<scheme name=”http” />
</filter>
</item>
<item name=”com.sec.android.app.launcher/com.android.launcher2.Launcher” match=”100000″ set=”2″>
<set name=”com.sec.android.app.easylauncher/.Launcher” />
<set name=”com.sec.android.app.launcher/com.android.launcher2.Launcher” />
<filter>
<action name=”android.intent.action.MAIN” />
<cat name=”android.intent.category.HOME” />

 

酷派大神退出factory mode方法(酷派7295c也是此方法):

adb shell fctest system reboot
系统重启
1、拨号盘里输入:*#9527*#,进入工厂模式
2、点击“DM标记”,(工程模式中dm标记研发专用密码54321)按设置确定。
3、重启手机,就没有“factorymode”字样了。
其实问题的原因是因为你打开工厂模式对手机进行了测试,却没有DM标记完成的结果。

8702退出factory mode的方法:
刷入官方包
adb reboot recovery
wipe data
wipe cache

 

修改selinux状态为Permissive

echo 0 > /sys/fs/selinux/enforce
getenforce

 

酷派8702 wifi模块打不开:

mount -o remount,rw /system
rm /system/lib/modules/wlan.ko

ln -s /system/lib/modules/pronto/pronto_wlan.ko /system/lib/modules/wlan.ko

mount -o remount,ro /system exit

 

批量对文件夹内的所有apk 进行解包操作的bat

@echo off
set workPath=%1
for %%i in (%workPath%\*.apk) do java -jar “%~dp0apktool.jar” d -f %%i -o “%~1\%%~ni_d”
pause

 

Htc修改语言

/system/etc/cid/对应的.xml

或者

system/customize/CID/default.xml

 

展讯签名工具:

sprd_secure_boot_tool

链接:http://pan.baidu.com/s/1c1QM3pI 密码:62bz