SE机的FLASH结构-K700例
===========================================Fullflash - this complete contents of the memory of telephone.
fw (firmware) - software, in the common parlance piercing. Approximately the same, that Windows on your PK http://www.sony-ericsson.ru/style_emoticons/default/smile.gif is, strictly, the "operating system" of telephone, with its rakes and omissions, which, strictly, and are removed (but in this case frequently they are added new rakes! http://www.sony-ericsson.ru/style_emoticons/default/smile.gif ) in the subsequent versions of piercing.
However, there can be pleasant moments, as that: the appearance of a modem, if earlier it was absent, or the acceleration of work Java- applications. Everyone can be! http://www.sony-ericsson.ru/style_emoticons/default/smile.gif
Flex - these are the region the memory of telephone, the singularly accessible to user, in which are stored any pleasant to us the trifles: pictures, melodies, themes still such are other - i.e., user kontent.
FFS - complete contents flex in accordance with the plant installations. Flex, by the way, contains not only that is loaded by user, but also the files, necessary for telephone for the work and usual user for the manipulations inaccessible: for example, these are the standard and neudaryaemye pictures and melody, the files of configuration, certificates, all possible specifications is file, etc.
===========================================
Marking the address space K700:
CPU is ARM 926, revision 3, architecture 6
Inst Cache Size Is 16.00 kb, ya-.shay, 32 bytes/line.
Data Cache Size Is 8.00 kb, ya-.shay, 32 bytes/line.
Physical (physical)
Type_______.Start________.End_________.Size(.HEX)_____.Size(.Dec)
RAM1(.in)?___.0x00000000__.0x00004000___.0x00004000___16 k
RAM2(.in)?_________.0x0000B475___.0x00002000__________8 k
//.Vendor (0x89): Intel
to //.Deviche ID: 0x880D
NOR________.0x44000000__.0x45FFFFFF____.0x02000000___32 m
RAM(.exit)____.0x4C000000__.0x4C7FFFFF___.0x00800000___8 m
//.Vendor (0xEC): Samsung
to //.Deviche ID: 0x0035
NAND_______.0x50000000__.0x51FFFFFF____.0x02000000___32 m
Watchdog?/.timers?/.UART?:
0x14000000
0x14000008
0x4200F4BC
0x4700A000
0x4B000000
0xF6000100
0xF6000200
0xF6000208
0xF6000210
0xF9090002
0xF9090008
0xF900000A
0xF9000014
0xF900001E
0xF9000032
0xF9000036
0xFE004000
0xFE004034
0xF000F000
Logical (logical)
BootCore____.0x44000000____.0x44020000____.0x00020000____128 k
Firmware____.0x44000000____.0x4РљFFFFF____.0x00f00000______15 m
GDFS_______.0x44f00000_____.0x44FFFFFF____.0x00100000_____1 m
FFS_________.0x45000000____.0x45FFFFFF____.0x01000000_____16 m
FFS_________.0x50000000____.0x51FFFFFF____.0x02000000_____32 m
//.YAYAD2DDCH0 - 44F00000 - Free memory
===========================================
1. for the beginning we must obtain FullFlash. For K700 size Fullflash = 64 to megas-byte. We rock program SeTool2 from here: http://pappfer.hu/faq/prg/st2.rar or http://www.latronik.ru/temp/speed_.unlock.rar
We further start that quacked SeTool2, in the tuning we advance our kilohms port, speed, the model of telephone.
We place (for K"00) in the field of “.StartAdress: $yaya000000̶y; to “.Lengtyu: $y000000̶y; and we press ReadFlash. After this, we preserve our file by the name of yaya000000_y000000..bin
Now again we advance “.StartAdress: $yashch000000̶y; to “.Lengtyu: $y000000̶y; and we press ReadFlash. After this, we preserve our file by the name of yashch000000_y000000..bin
Also the very we repeat for: (can not rock, it does not support loader SeTool2)
“.StartAdress: $shch0000000̶y; to “.Lengtyu: $y000000̶y;
“.StartAdress: $shchy000000̶y; to “.Lengtyu: $y000000̶y;
If you do not have cable (as in me), or it is terrible "to torture" telephone, then we rock these files from here (respect densoft'u):
yaya000000_0y000000..bin - 6,8 megas-byte
yashch000000_0y000000..bin - 13 megas-byte (second file it is possible not to rock, in this file only FFS)
2. we rock IDA IDA 4.9 , start, File - > Open we select our yaya000000_y00000..bin of ->v new window we advance “.Prochessor type: ARM processor ARM710a” and we harvest ok.
http://www.latronik.ru/temp/1.jpg
New window will appear, we there advance BY “.ROM start address 0x44000000” “.Loading address 0x44000000” we harvest ok.
http://www.latronik.ru/temp/2.jpg
In the new window, where speak wait to ishyut'sya String it is possible to harvest Cancel. We further make the following: File>.Load File>.Additional Binary File. We select for example the file: yashch000000_y000000..bin in you to appear window, we place into Loading Segment: 0x0 but in Loading offset: 0x45000000 we remove jackdaw Code Segment.
http://www.latronik.ru/temp/3.jpg
So to repeat with all files, only the different offset to put. After this, it is possible to preserve idb, after leaving IDA. Press in IDA, to key "s" with address 44000000 and you will obtain the code, after which you should analyze him. The interpretation of commands we rock according to the reference below, file is called “.TsRCh000yYu_.rvcht_.v2.y_.arm.rar̶y;
Information is undertaken here: http://forum.allsiemens.com/viewtopic.php?....der=.asch&.start=0
===========================================
Structure FFS K700:
0x45000000 - 0x45FFFFFF = 64 blocs
0x50000000 - 0x51FFFFFF = 128 blocs
1 bloc = 0x00080000 = 512 k
In the beginning of each block lies the massif of 256 dword
First word in each block always FFFFFF1F
=========================================== FLASH结构。
在国内最大的SE鸟论坛找得头晕,都没有看见。
以知识产权为由,权限20限制。
论坛水贴超多,这也叫人气旺吧! SE TOOL工具备份全字库的 不同机型的地址,大小
Old Thread "All readouts firmwares here..." cleared and renamed cause too many broken links and outdated firmwares.
Readout ranges for K750/W800:
Full Readout: $44000000 and len $2000000
Readout ranges for K600/608/V600/V800/Z1010/Z800:
Main+FS: $20000000 len $2000000 / FS Only (for K600/608/V600i): $22000000 len $2000000
Readout ranges for K500/K700:
Main+FS part 1: 44000000 to 46000000
FS part 2: 50000000 to 52000000
Readout ranges for Z520:
1st part: start $44000000 len $2000000
2nd part: start $46000000 len $1000000
Full: start $44000000 len $3000000
Readout ranges for Sharp 902:
start $20000000 len:$2000000
start $22000000 len:$1000000
start $28000000 len:$1e00000
Readout ranges for Sharp 903:
start $20000000 len:$2000000
start $22000000 len:$1000000
start $28000000 len:$1fc0000
Write it to DEAD phones and UNLOCK afterwards you will get working phone.
NOTE - SHARP 903 EURO readout will ONLY fit to EURO sharp903, chinese-to chinese sx833, japanese-to japanese.
EROM (to revive your phones you must fullflash themt (main+fs+complete))
btw: you CAN'T write EROM into red49 phones without TP.
k750/w800 start $44000000 len $20000
w900 start $20000000 len $20000
k600 start $20000000 len $20000
w550 start $44000000 len $20000
w810/z530 start $44000000 len $40000
[ 本帖最后由 comdin 于 2007-2-18 14:21 编辑 ] 好像很厉害:) 头都大了。 还没学会索爱的机器如何备份~ 呆呆勤奋啊。se机我来学习下。 看不懂!
希望说的清楚些!
页:
[1]