FlashingEZX
From Moto4Lin
Contents |
Flashing Motorola EZX phones
There is a way to flash Motorola EZX phones (E680, E680i, A780) from Linux machine. Here is download link:
http://inhex.net/dion/ezxflash.tar.bz2
Currently it's possible to flash only EZX part of phone. Flashing LTE currently is not implemented.
Archive contains some various tools for flashing and modifying firmware:
unshx - extract all codegroups from SHX file. uncg35 - parse CG35 and extract cramfs from it. gencg35 - recreate CG35 codegroup from cramfs. fixloader - fix loader at a0200000 and write correct codegroups to erase parseheader - parse shx header and dump some info from it p2kmoto - lib for accessing motorola phones from Linux ezxflash - flasher
Compiling
1. Build p2kmoto lib. It use automake so should be easy (./configure, make, make install). You may need to install libusb-dev (at least for Ubuntu or Debian)
2. Build ezxflash. Qt4 is required (libqt4-dev for Ubuntu or Debian). It use qmake so use:
qmake make
3. build other utils. Just launch ./build.
Flashing phone
1. Copy shx file to directory with tools.
2. Use unshx to extract all codegroups from firmare:
dion@debian:~/tmp/ezxflash% unshx/unshx firmware.shx
This will generate a lot of bin files. filename - address where file will be flashed. Another generated file - list.txt. It contains addresses of all codegroups.
3. Now it's possible to edit codegroups or replace some of them with modified ones. Addresses of all codegroups can show parseheader tool:
dion@debian:~/tmp/ezxflash% parseheader/parseheader firmware.shx Codegroups: 15 T N R PR Start End Size Jump ??? ? C1 A C2 ? Ver CRC ?? 00 0 03 23 a0200000 a023c0a3 245924 00000000 00000000 00 0d 02 02 03 00ff00 0209 0000 00 0 00 25 03fd0000 03fefff7 131064 00f8fe03 b17219e9 00 0c 02 02 03 00ff00 02f4 0000 00 0 01 25 10080000 100800c7 200 e7180810 000000b1 00 0c 02 02 06 ffff0d b001 0000 00 1 01 25 100800c8 102defd7 2486032 e7180810 000000b1 01 0c 02 02 06 ffff0d b058 0000 00 3 01 25 10040000 10046aaf 27312 e7180810 000000b1 01 0c 02 02 06 ffff0d b0f7 0000 00 2 01 25 10390000 103fffff 458752 00002800 4ca494ba 00 0c 02 02 02 00ff00 0254 0800 00 18 01 25 10310000 103107ff 2048 10003110 000000b1 00 0c 02 02 02 00ff00 022d 0000 00 38 03 23 08c00000 0a799077 28938360 00000000 00000000 00 0d 02 02 02 00ff00 02c3 0000 00 32 03 23 00020000 000f5f6f 876400 00000000 00000000 00 0d 02 02 02 00ff00 02ca 0000 00 33 03 23 00120000 0190bfff 25083904 00000000 00000000 00 0d 02 02 02 00ff00 02a7 0000 00 34 03 23 01a00000 01f7ffff 5767168 00000000 00000000 00 0d 02 02 02 00ff00 0252 0000 00 35 03 23 08000000 08b2724f 11694672 00000000 00000000 00 0d 02 02 02 00ff00 02e6 0000 00 37 03 23 01fc0000 01fdffff 131072 00000000 00000000 00 0d 02 02 02 00ff00 02e8 0000 00 36 03 23 01fa0000 01fa5fff 24576 00000000 00000000 00 0d 02 02 02 00ff00 025f 0000 00 39 03 23 01fe0000 01fe00c3 196 00000000 00000000 00 0d 02 02 02 00ff00 023d 0000
N - codegroup number, Start - start address.
Also if codegroup was not modified, it's possible to remove it. So it will not be flashed and save some time and battery. After removing file with CG, don't forget to remove CG from list.txt
4. Run fixloader. This tool will modify loader at a0200000. It will check that all codegroups have correct size and will write this size to loader. Also it will remove from loader info about removed CG's:
dion@debian:~/tmp/ezxflash% fixloader/fixloader Will erase 13 CG's Boot loader: a0200000 CG at 03fd0000 not found. Possible LTE CG. Ignored CG at 10080000 not found. Possible LTE CG. Ignored CG at 10040000 not found. Possible LTE CG. Ignored CG at 10390000 not found. Possible LTE CG. Ignored CG at 10310000 not found. Possible LTE CG. Ignored 38 08c00000 0a799077 08c00000 0bffffff 32 00020000 000f5f6f 00020000 0011ffff 33 00120000 0190bfff 00120000 019fffff 34 01a00000 01f7ffff 01a00000 01f9ffff 35 08000000 08b2724f 08000000 08bfffff 37 01fc0000 01fdffff 01fc0000 01fdffff 36 01fa0000 01fa5fff 01fa0000 01fbffff 39 01fe0000 01fe00c3 01fe0000 01ffffff
This tool will generate list_ezx.txt with list of all EZX codegroups which will be flashed.
5. Flash phone. Launch ezxflash tool. This tool can flash phone, send some commands to it, send loader and some other things.
Power on phone by pressing Camera, Volume- and Power button. Blue screen should appear. Program should detect phone. Click to correct device in device list and press "Use device". After this, press "Flash" button and locate file list_ezx.txt.
DON'T TRY TO USE list.txt. It contains also LTE codegroups which can not be flashed now. Batterry should be fully charged before flashing
During flashing, there will be one device reenumeration. Phone will disappear for a moment, and then appear again. This is normal. After flashing phone will be turned off.
Modifying some codegroups
Currently it's possible to modify some codegroups:
CG33 - root filesystem of phone. Mounted to / CG35 - something like langpack. Mounted to /usr/language CG36 - some configs. Mounted to /usr/setup
CG33 and CG36 is regular cramfs. CG35 is cramfs too, but with some strange headers + after each 1024 bytes of data there are some 8 bytes with numbers. To modify CG35, it should be converted (Removed extra bytes and header). This can be done with uncg35 tool.
After modifying it's possible to flash only modified CG. To flash it, file "list.txt" should be created. It should contains followed lines (without comments):
a0200000 - Ram loader 00120000 - File with codegroup
a0200000 - Ram loader, it's possible to get it from any EZX firmware. 00120000 - File with codegroup. filename - start address of this file in phone memory. Use parseheader with any fullflash firmware to get addresses of all codegroups. Or use table above (for E680/E680i only).
After this, fixloader should be called. It will fix codegroup addresses in ram loader and create list_ezx.txt. list_ezx.txt can be opened with ezxflasher and phone will be flashed
Warning: CG35 is not regular cramfs. After extracting cramfs using uncg35 and editing cramfs, gencg35 should be called to add required headres and extra bytes. There is other way to flash CG35 only, without using gencg35. Modified cramfs (cramfs ONLY, without any extra headers and bytes) should be copied to phone memory or SD/MMC card. After this in phone shell followed command should be executed:
dd if=/mmc/mmca1/file_with_cg35 of=/dev/tffsa
After this phone should be rebooted.
Editing cramfs filesystem
cramfs is compressed read-only filesystem, so it can't be edited directly. it's possbible to mount it:
mkdir /tmp/cramfs mount file_with_cramfs_filesystem /tmp/cramfs -o loop
After this all files from /tmp/cramfs should be copied to filesystem with rw access (for example to $HOME). Then _copy_ of filesystem can be edited. After this, cramfs can be recreated using mkcramfs (from cramfsprogs debian package or something like this for other distro):
mkcramfs directory filename
directory - directory, where are file, that should be compressed to cramfs filename - filename of cramfs to create.
Warning: I recommend to do all cramfs editing as root, because almost all files on motorola cramfs are owned by root.o ownership and permissions will be losed, because user is unable to create files with root owner.
