# Fooling around in reversing SBF-land and other things...



## Goose306 (Sep 12, 2011)

Below information is a bit scatter-brained, so bear with me:

So, rather than crowding the Blur-ROM thread with discussion about this, I figured I would make a new thread. I'm attempting at this point to do a few things with this .621 update and the issues its caused ~i.e. working on a more permanent and if possible more elegant solution to the no-root on .621 and Milestone X SBF thing we are doing now, because for blur-based ROMs it is causing some issues and there is some other stuff I'm interested in doing (more so for my personal sake, but I'll get to that in a second).

So, with that being said, there is a few things I want to look at doing:

Compiling the .621 kernel. There is a few ways to do this (feasibly, although not all may end up being possible):

Getting source from Moto. They did release source of .605 on sourceforge, but .605 wasn't put up until Oct/Nov of last year, so its clearly delayed. I PM'd the project manager there, no response as of yet.

The Droid X sourceforge page is here: https://sourceforge....%20Source%20GB/

Decompiling the update.zip. The update .zip does have the new kernel in .img format as well as the new radio (both of which I'd like to see about tearing out of there and fooling around with) however, they are encrypted. May be able to decrypt, dunno. Did do some fooling around with it flashing the kernel boot.img file using CWM, did get through boot logo, once it got to boot animation it panicked and threw me in bootloader. Need a bit more work here (if possible).

The update.zip is loaded in my Dropbox:
http://dl.dropbox.co...rizon.en.US.zip

Finally, the third option I see as feasible is decompiling the SBF file. I've managed to get the file decompiled into its baseline CG files and RDL, MBN files. I'm working on unsquashing the CG files; but I need some help. Specifically, for me to open the MBN files in assembly, I need to find a tool called MBN-Resourcer. I've found references (spottty) around the interwebs, but no actual tool. If anyone could find such a tool, it would be invaluable for me to get started trying to decompile the MBN files.

For this, since it contains a lot of various code, etc that would see active changes, I'm looking at setting up a git so people can pull if they want to open/modify files. I'll post up here when/if that occurs.

Github: https://github.com/G...ID-X-621-UPDATE

Currently this is just the decompiled SBF files. I'm running an open CG39 in a VM right now, but can't decompile it further atm.

If you want to know how to decompile/recompile SBF files and CG, read below:

[hide='Decompile SBF']

To decompile an SBF you will need a special tool made by Skrilax_CZ (an old-school Moto modder)

http://and-developers.com/sbf

This is the safest site I've found that has the program, lots of others were redirecting me to trojan sites/etc. This one all checked out and so did the file, so don't worry 

You can use either SBF-Recalc or SBF / MBN Depacker. The Depacker is a more recent tool, so thats what I prefer.

Opening the SBF file you can either export the files seperately or you can convert smg files (those are the CG files) to shx. I haven't tried that as much, been working on just depacking the smg files. This will drop everything from the SBF into the parent directory, including the header file which contains the keys needed for authentication (this means you can feasibly recompile the SBF and it should be flashable, it was exploitable on the Cliq and some other Moto/Android phones which had locked BL, as long as you were not modifying the ramdisk partitions).

Once your decompiled you can do some things. XMLs are obviously editable. Careful what programs you attempt to open these files with as it can destroy header information, rendering them potentially useless without rebuilding headers (which we can't do for the private keys needed)

For unsquashing the smg files, you can attempt a few different methods.

One way is to use a Linux terminal and a custom unsquash program to decompile. Info is found here:

http://www.mmus.us/f...read.php?t=7355

http://www.mmus.us/f...read.php?t=7340

The other method is some file systems, since they are native android/linux systems, can be mounted as a loopback in Linux terminal. This is particularly useful for CG39, as it is the Android system. See reference posting here:

http://forum.xda-dev...d.php?t=1250326
[/hide]

Once the files needed are derived from the SBF we could then either resquash the smg file and attempt an SBF recompile and flash (since we would be retaining header information, again this has been done on locked devices prior), but extreme caution must be taken as incorrect info in RDL files or similar could feasibly trip the eFuse and cause a hardbrick! It feasibly would probably not even work, but it may be worth a try.

A safer route would be to attempt to pull out needed files (kernel/radio) and build flashables as needed. By using the write_raw_data command in the updater-script (either in ROM or secondary flashable) we are able to assign kernel updates (just can't touch the ramdisk) This fine for our purposes. The .604 Milestone X kernel and the .621 Droid X kernel *should* be swappable without modifying ramdisk data (this was previously done on the blur-based GB ROMs, containing a kernel update.)

So, enough about the kernel, now to the radio.

I should be able to pull that from the update .zip and make a fresh flashable. What that means is feasibly we may be able to get people on .602/.605 to get the fresh radio and get those advantages. You would need to SBF to Froyo, flash radio in CWM, then linux sbf_flash to .602/.605 (using RSD Lite will over-write radio image, which is what we are trying to preserve here). I should be able to pull out and compile a flashable .zip for the 15p baseband, I will need a guinea pig though. I'm currently on .621/.604 so I can't revert to Froyo to do this. If anyone is interested in testing this, please post below. Note this process *should* be safe, but I am in now way gauranteeing it. I'm just going to pull out the bp.img from the update .zip and insert it into one of the other baseband folders, recompile, update updater-script, and sign and pass off. It should be just as safe as any other radio, but its untested waters folks.


----------



## Goose306 (Sep 12, 2011)

Secondary Information, Downloads, etc.

*.15p Baseband Updater zip*
http://www.mediafire...nzhqye4sajcdprb
*MD5:* 49F5C6E7FA3CB6921E9913CD4C1C8CD3

This is untested, so flash at your own risk. Being as it doesn't have the new boot partition you should be safe to revert back if all else fails, but I need a guinea pig (I can't do it unfortunately as already on 15p) for this to work properly you will have to SBF down to .340 Froyo, apply the .zip in CWM, and then if you want to go back to GB you will need to Linux sbf_flash to .605 to not replace the new radio. If thats works as intended you should be able to get all the benefits of the new 15p radio without being stuck on the .621. Let me know if any issues with the flash. You will probably need to activate after flash (*228)


----------



## ShawnDx (Aug 22, 2011)

Right on Goose really appreciate all the time and effort you have put in on issue. I'd love to be a gunia pig and flash that radio but since I can only SBF to 604 or 621 guess that really doesn't help. But if there is anything I can do to help please let me know. Since I don't have service on my Dx now bricking it is a non-issue.

Thanx again and please let me know if there is something I can do to help the community.

Sent via carrier pigeon using RootzWiki


----------



## brandoncampbell (Aug 26, 2011)

Goose306 said:


> Secondary Information, Downloads, etc.
> 
> *.15p Baseband Updater zip*
> http://www.mediafire...nzhqye4sajcdprb
> ...


was hoping it would work but it didn't..
error msg
assert failed: motorola.update_cdma_bp("/tmp/rdl.bin", "/tmp/bp.img")
E:Error in /sdcard/Download/1.09.15p_baseband_updater-signed.zip
(Status 7)
Installation aborted.

as a note. I sbf to froyo, installed z4root and droidx bootstrap


----------



## paspeed (Jan 28, 2012)

If it is like the .13 updater, you need to be on a 2nd init froyo rom like cm4dx.


----------



## Goose306 (Sep 12, 2011)

brandoncampbell said:


> was hoping it would work but it didn't..
> error msg
> assert failed: motorola.update_cdma_bp("/tmp/rdl.bin", "/tmp/bp.img")
> E:Error in /sdcard/Download/1.09.15p_baseband_updater-signed.zip
> ...


Thanks for the feedback, I just had to rebuild my build environment due to a system crash, I'll look in to my signing and see if its correct.

Sent from my unthrottled 4.0.4 GummyX!


----------



## paspeed (Jan 28, 2012)

I just tried installing the .15p update zip on froyo kernal CM7 and no luck.


----------



## Goose306 (Sep 12, 2011)

Tore in to the old baseband updaters and it appears they were using Moto signing, have the same RDL files for all of them. So I rebuilt without resigning (just using 7zip to drag and drop so signing wouldn't get broken) so it is still signed with the Moto keys. If it'll work in the traditional sense, this will be it. If it won't, well something about the new radio doesn't allow it to be flashed the traditional way. Try it now:

http://www.mediafire...42o7ihwkw363qgs

*MD5: *C069B2C427A889920DAABDFE0BFA39E9

EDIT: Savagerun @ DXF tested and failed







Moto did something else thats not allowing this radio to be flashable it appears. Going to look a bit further.


----------



## ky41083 (Sep 25, 2011)

See here: http://rootzwiki.com/topic/2834-radios-all-baseband-updaters/page__st__60#entry637404

Your welcome.


----------



## ky41083 (Sep 25, 2011)

Goose306 said:


> Tore in to the old baseband updaters and it appears they were using Moto signing, have the same RDL files for all of them. So I rebuilt without resigning (just using 7zip to drag and drop so signing wouldn't get broken) so it is still signed with the Moto keys. If it'll work in the traditional sense, this will be it. If it won't, well something about the new radio doesn't allow it to be flashed the traditional way. Try it now:
> 
> http://www.mediafire...42o7ihwkw363qgs
> 
> ...


Issues with the previous 15P update posted was the radio file being used was from either the 621 stock update.zip or MotoAndroidDepacker, you need to use the (smaller) one from the SBF and pull it with SBF-Recalc (pulling it with MotoAndroidDepacker gives you an (larger) image similar to the one in the 621 stock update.zip). Also the certs I think are from the 1.09.13P baseband update, not sure that matters or not but I used the certs from the 621 stock update.zip.


----------

