Unpacking Q8H / Allwinner A20 A23 .img firmware

Recently I downloaded and modified Q8H firmware.

The one, that was shipped with my tablet was lost in war with CloudsService. I was able to find new firmware on the internet, but unfortunately camera drivers were mismatched.

There are basically two ways of modifying Allwiner A20 / A23 firmware:

  1. Using DragonFace – chinese program created to easily modify some basic aspects of firmware. It loads .img file and allows to add new apps, modify init file and system configuration script. It does not provide explorer-like interface. But unfortunately all ROMs modified (or even saved without modifications) were stuck on Android logo while booting.
  2. http://forum.xda-developers.com/showthread.php?t=1753473 – imgRePacker. This tool did what I expected at first from DragonFace. It unpacked whole image to separate files / partitions. After that, I was able to find files I wanted to modify, and then, using the same tool – pack them into .img file. I had to use \skip while unpacking. I successfully flashed my tablet with image modified with this tool.

Now a few words about img content.

 

All tools used in this article are availible in A23 SDK (http://dl.linux-sunxi.org/SDK/A23-v1.0/unpacked/A23/)

  1. image.cfg is created directly by by imgRePacker to store information about files in image.
  2. sys_partition.fex is text file containing partition information for the device. It is translated using update_mbr or script (this is program name) to:
    1. dlinfo.fex – file used by PhoenixUSB, containing information about partitions and data sources for them (which file to copy where)
    2. sunxi_mbr.fex – file which is used as NAND Master Boot Record
  3. sys_config.fex is a common text configuration file for allwiner devices. It is converted to binary form (config.fex) by fex2bin availible in official linux-sunxi repository on github
  4. boot0_nand_<dev>.bin, boot0_sdcard_<dev>.bin, fes1_<dev>.bin, u-boot_<dev>.bin are stored in SDK in tools/pack/chip/<dev>/bin/. They are ‚updated’ with new config using update_filename tool (also in SDK)
  5. boot.fex, bootloader.fex, env.fex, recovery.fex and system.fex are android partitions. Their checksums are created using FileAddSum tool. Both files and checksums are present in target image. Their names are listed in sys_partition.fex, therefore they are copied to target fs to appropriate partitions.
  6. Diskfs.fex is also present in partition table, but no checksum is availible. Whole file contains of 512 bytes of zeros.
  7. cardscript.fex, cardtool.fex, split_xxxx.fex, usbtool.fex are blobs (cardscript is text) availible in SDK. Both cardtool and usbtool seems to be win32 dlls. split_xxxx.fex remains unknown.
  8. aultls32.fex and aultools.fex are unknown blobs.

If you have any information about unknown files – please do contact me.

Returning to the topic of camera drivers.

To modify camera driver a had to do two things:

  1. Modify loaded drivers in /init.sun8i.rc
  2. Modify sys_config (aka sysconfig1.lhs or script.bin)

I combined method 1 and 2 and found that after modifying sys_config following file are being altered:

  • bootloader.fex – only difference was this string
  • config.fex (this is script.bin) – only difference was this string
  • u-boot.fex – this string + some bytes in first 128 bytes
  • sys_config.fex – this basicly is the config file

Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *