NexusHD2 Android Forum

by **symbuzzer** » Sat Nov 02, 2013 10:19 pm

Hi dear friends. A big part of us want to use Black LK, I think. It has superb features like built-in recovery, on-device partitioning, off mode charging, boot reasons, fastboot bridge, torch etc... But it hasnt rmnet which is more stable data connection protocol than ppp. So we must to use magldr for this reason in my opinion.

I say again; I am not a developer, coder, hacker etc... I am only a basic user. But I am trying to find a way for this. So I tried to understand amagldr, 2.08.hspl and 2.15.50.14 radio architecture. And I created my own HSPL with an exploit for replacing itself. I learned spl commands, itsutils.dll utilities etc... for dumping/writing memory etc... But I couldnt enable rmnet on LK. Because I dont know arm disassembly, what does kernel need from spl/radio/lk for rmnet etc...

At the moment, maybe this is a dead project, I dont know. But I believe there are power users can do this who have still use legendary Leo. And I created this topic for finding these users and bringing them together. So, I am inviting all kernel/rom/recovery developers, LK contributors to this project.

My main goal is "creating an information pool" and try to developing rmnet supported LK when we have more knowledge. After that, I will move this topic to Development forum.

Please write your ideas, opinions, suggestions etc... to this thread freely. I hope we will find a way for this.

I want to say thanks from now.

by **symbuzzer** » Sat Nov 02, 2013 10:31 pm

I am starting firstly of course;)
I have some answers and questions. For example, I have knowledge about dumping and writing memory dynamically (on WinMo), reviving bricked Leos without jtag (except radio based bricks), nbh, nb, payload, xip.bin, nk.exe extracting/recompiling... These are answers of some questions.

And I have more complex questions than these answers of course. For example, how we can disassemble spl, radio, magldr (start adresses etc)? What does a kernal wants from spl, radio, 2nd bootloader? How we can patch spl and/or radio dynamically? What is sub-commands of famous rapitool.exe?

In addition, I can write mortscript scripts for both Wndows and WinCE, batch and visual basic scripts and self executables for Windows. Also I can use hexeditor, comparing tools, ida disassembler. I can use adb and mtty too.

by **symbuzzer** » Sun Dec 01, 2013 7:34 pm

THEORY:
-We know, amagldr patches some parts of desire hd's radio and spl every android boot process.
-We dont know which parts are needed for this patching process to getting rmnet to LK at the moment.
-So we should patch full of hboot instead spl and desire radio instead hd2 radio from real memory (NAND & physical memory) to virtual memory (RAM) at android boot process.

WHAT WE NEED?
1) Comparing sizes of hboot and spl & both of radios \\ It is needed and easy
2) Writing Desire HD's hboot and radio images to nand (map to real adresses) \\It is easy for us
3) HD2 memory maps for patching process \\It should be easy
4) Modifying LK's source code for patching these from real adresses to virtual adresses \\I cant. But I have a how to document for this

WALKTHROUGH:

1) Comparing hboot and spl & radios:
- Desire HD's hboot size 1MB, HD2's spl size 512KB
- Desire HD's radio size 24.3MB, HD2's radio size 23.8MB

2) Writing Desire HD's hboot and radio images to nand (map to real adresses):
- Firstly we can create 2 new partitions on LK which are named hboot(2MB) and radio(25MB). (So we have hboot, radio, misc, recovery, system, data and cache partitions.)
- Finally we will flash these 2 partitions via fastboot or flashable zips as raw data. (This is easy process)
- So hboot will present on 219-224 blocks, radio will present on 225-2ed blocks on real memory.

3) HD2 memory maps for patching process:
- HD2's spl starts from 0 (to 7ffff) and it is size is 524288KB on virtual memory. (We can see this with aMagldr's "memdump 0 524288" mtty command.)
- HD2's radio starts from ? and it is size is ? (probably 25034752KB) on virtual memory.
- So we should patch hboot from 219. block to 21c. block on real memory to from 0 to fffff on virtual memory for hboot patching over spl.
- So we should patch Desire HD's radio from 225. block to 2ed. block on real memory to from ? to ? on virtual memory for patching desire hd radio over hd2 radio.

4) Modifying LK's source code for patching these from real adresses to virtual adresses:
- I dont know what should we do. But I found a document, which tells this procedure detailed. You can see it from: https://www.google.com.tr/url?sa=t&rct= ... 5469,d.d2k
- Also, you can find lastest Black LK's source code from: http://github.com/zeusk/clk

NOTES:
-Here is hd2's spl (not direct flashable): download/file.php?id=45
-hd2's radio (not direct flashable): http://www.dosya.tc/server20/cj3Rig/radio.zip.html
-desire hd's hboot: http://forum.xda-developers.com/attachm ... 1315142029
-desire hd's radio: http://d-h.st/T1X
If I missed anything or made mistake, please feel free and write your opinion.
For now, we only have 2 problems:
1) Where does radio rom present on virtual memory?
2) How we can add patching RAM feature to LK?

by **symbuzzer** » Tue Dec 03, 2013 11:17 am

We know that cLK can patch rom and radio to memory. I found these changelog: https://gitorious.org/htc-hd2-android-l ... og.txt#L33

NexusHD2 Android Forum

[PROJECT][DEVS]Bringing rmnet to LK

[PROJECT][DEVS]Bringing rmnet to LK

Re: [PROJECT][DEVS]Bringing rmnet to LK

THEORY

Re: [PROJECT][DEVS]Bringing rmnet to LK

Who is online