How To: Enable hidden functions using optimized flex.

[evaldas]

I agree about blind flashing of optimized_setup.shx. Still haven't tried this and afaik it uses config files from chinese version.
regarding other questions, mack, check this out! http://www.www.motorolafans.com/uplo...artgooglee.gif

[yantz]

regarding other questions, mack, check this out! http://www.www.motorolafans.com/uplo...artgooglee.gif

[mack]

Re blind flashing, I think this is true for any shx file. Many of us would prefer to combine certain changes into their own customized rootfs, rather than replacing it with someone else's.

It would be ideal to be able to mount the rootfs of a SHX file and rip files from there without actually flashing it to a phone. Anyone knows the format of SHX files, enough to extract the rootfs from it ?

In fact, I looked at the SHX file and it seems like a binary patch to some other file (apparently a full firmware file). I wrote a small script to extract chunks of data from SHX after dropping the headers, addresses and checksums, and can probably write a patch-script that applies SHX files to a firmware without actually flashing. However, I don't know how to determine which file is supposed to be patched. For example, what flash should the optimized setup be applied to ? I extracted its raw chunks and saw that most of it is a patch to some cramfs. If I knew what cramfs it was, I could probably patch it offline and mount it.

After I have it working, I'll post a small script to extract a cramfs from it, which should help crazy folks like me, who prefer to create their own customized firmware.

[mack]

ok, I wrote some scripts and played with SHX files. Now I'm even more puzzled about OPTIMIZED_SETUP_A780.shx.

I applied it offline (using my scripts) and saw it affects three ranges:
01FA0000-01FA5000
01FE0000-01FE00C4
A0200000-A023C02C

The first one is the cramfs of /usr/setup, which makes sense. The last one got me worried. A0200000 is the bootloader in full firmware files I checked. I looked at A0200000 in this shx, and indeed it contains what seems to be a bootloader, but this bootloader differs from any bootloader I found in other firmwares. Why would the described optimizations require replacing the bootloader ?

(Don't get me wrong, I'm not saying the shx is bad in any way. Just trying to understand it).

As for the setup (stored in 01FA0000), I mounted and compared it to my current setup. Aside from many different drm files, there were only two new config files: ezx_im.cfg and ezx_syncml.cfg. I don't see a new gaintable/volume file. How does this new firmware increase the volume ? Does some other file in /usr/setup control the gain somehow ? The only relevant change I found was in realplay's config, where default volume changed from 6 to 10, but it doesn't control the general volume of the system.

I can't find changes to 00120000 (rootdir's cramfs) so I don't understand how all the optimizations are performed. Are all optimizations performed by config files, without changing any programs ?

Some other changes in /usr/setup struck me as odd and I'm trying to understand them. For example, .policy/_devdomain.txt changes in a way that seems to allow full access to files, sms, mms, and everything else, to untrusted applications. The old setup only allowed a fraction of these, and only in oneshot. Isn't it a bit risky to give the untrusted domain access to things like com.motorola.file.writeaccess ?

Could anyone shed some light and help me understand this flex ?

P.S. When mounting (--bind) this /usr/setup on my phone, I indeed got a new "silent" option in the camera setup. I can't find which setup file did this magic. Could it be one of the mysterious entries in ezx_flexbit.cfg ? btw, after changing to "silent" and rebooting back to the original setup, camera stays silent. A quick check shows that now "shutterSound = 7" in /ezxlocal/download/appwrite/setup/ezx_camera.cfg, so I guess changing this file manually should silence your shutter without having to change /usr/setup.

[evaldas]

nope, this is actually not bootloader. it's loader. RAM version of bootloader, which you can load and execute in RAM. usually there are one or two RLD files in SHX which are executed in memory and flashes supplied CG files.

this update changes some config files under /usr/setup in particular firmware version (or adds some if yours differs). but what is CG17 file I'm not sure.. I think this is some kind of binary-patch file to BP firmware of the phone. just unlocks some functions.

[mack]

this update changes some config files under /usr/setup in particular firmware version (or adds some if yours differs). but what is CG17 file I'm not sure.. I think this is some kind of binary-patch file to BP firmware of the phone. just unlocks some functions.

Since it only affects that loader and the files in /usr/setup, without patching any binaries (as far as I can tell), there must be something in the modified cfg files, that unlocks these phone functions, which pre-exist in the old firmware. I'm unable to find any cfg file related to the camera, but the only file I'm unable to correlate to anything is the strange flexbits file, so I suspect these bits unlock all sorts of functions in the phone. Maybe I'll play with this file some more later and see if it can unlock anything else

[evaldas]

Seems you didn't understand me.

Let's say OPTIMIZED_SETUP_A780RDL3.smg is uploaded to bootloader and executed in memory. That's all for bootloader, the control is now given to the new loader. Then it downloads files:
OPTIMIZED_SETUP_A780CG15.smg: and overwrites /usr/setup mtd partition with this file
OPTIMIZED_SETUP_A780CG17.smg: according to this file patches some flash chip. "Patches" means changes some bits in specified locations of flash. I think this is flash chip containing BP firmware.

that's my guess

[mack]

I did understand you. Thanks.

What I meant is that once in place, this new setup unlocks certain features by just modifying some files in /usr/setup, so I extracted the /usr/setup cramfs from this firmware without actually flashing it, and mounted it over the old /usr/setup, and when I did that, it really unlocked the camera's "silent" setup option.

After it worked, I diff'ed the config files between the old and new /usr/setup, to see what changes unlocked the new features, so I can integrate them into my own setup rather than replacing it with the optimized one. I couldn't find anything related to the camera (or other new features) but I did see that the flexbits file changed, and its the only config file I know nothing about, so I guess these bits are used to control some interesting feature. I'll play with this file sometime and see what else it can enable.

Another thing I mentioned is that the optimized setup changes .policy in a way that allows the untrusted domain to do anything, which is a bit surprising. It makes sense for a debugging setup, but I'm afraid to use it on a system that runs third party jars.

And thanks for your explanation regarding RAM-based bootloader. Now I understand the process better.

[silvio]

using the new flex op[timized setup, the new option SIP appears.

If it is configured, the phone registers to the SIP server, but doesn't answer calls (returns 480 temporarily unavailable). Didn't find how to make outgoing calls yet, so can't check that.

btw, maybe its a good time to upgrade glibc and/or recompile open-source stuff ? That'd probably speed up the phone a bit.
Kernel recompile is a bit hard.
First option, of replacing the 2.4.20 with 2.4.31 or newer of the 2.4 family is problematic, since ezx is based on montavista's internal tree and not generic kernel tree.
Second option, replacing with 2.6 family is even more problematic, since whole lot of porting is needed, and from talks with moto, they don't expect e680i to live long enough to motivate 2.6 port. To reiterate, moto doesn't plan on porting e680/i to 2.6.
The new "mobilinux 4" platform, based on 2.6, will probably be used for some new phone, which will take time, apparently.

So, glibc 2.3.5 ? (no nptl of course, since no 2.6).

p.s. if anyone's interested, from a discussion with Toshiyuki Maeda, he plans on making a port of kml to arm, but since he's busy with his doctorate now, that's on hold indefinitely.

[jcav5]

I flashed my phone with this optimized flex, but I do not know how to disable the content subscription. Every few seconds I see percentage bar flash on my screen which I assume is the update for this content. I would like to get rid of it completely. Any help is appreciated.