Gadgets – Page 6 – Roo's View

Fixing a fake USB flash drive

A couple of years ago I picked up a conference give-away flash drive (4GB), which at the time seemed like a pretty nice freebie. The trouble was it only every liked to play nice with my Windows machine, Linux would refuse to mount it. The headline photo is the final product, I failed to take a before picture but the leather + snap case on this USB thumb drive was hideous anyway.

Turns out it was a fake, good thing it was free. Still in my typical fashion I didn’t want to just throw it away, heck I’m still carrying around the mysterious AMD 1GB key I got ages ago. So this bogus 4GB key sat in my work bag for a long while before I finally got to investigating it.

The very first thing I did was use the linux command lsusb, this helped me clue in that there was something wrong (fake) with the drive. I found a forum post that helped me get started down the right path. I got a copy of ChipGenius which told me the following:

Description: [I:]USB Mass Storage Device(Generic Flash Disk)
Device Type: Mass Storage DeviceProtocal Version: USB 2.00 Current Speed: High Speed Max Current: 100mAUSB Device ID: VID = 0011 PID = 7788 Serial Number: 874BE199Device Vendor: Generic Device Name: Mass Storage Device Revision: 0103Manufacturer: Generic Product Model: Flash Disk Product Revision: 8.00Controller Vendor: Alcor Micro Controller Part-Number: SC708(FC8708)/AU6987 - F/W EC23 Flash ID code: ADD5949A - Hynix H27UAG8T2BTR - 1CE/Single Channel [MLC-8K] -> Total Capacity = 2GB

So this felt like progress: it's 2GB and not 4GB as Windows seems to think. Still not bad for free. I then used my camera to get some close up shots of the naked circuit board to confirm the data that the ChipGenius tool dug out.

It was good to see that the values matched, this helped boost my confidence in the ChipGenius tool. I did find some references on the web claiming that sometimes ChipGenius is wrong, so it’s worth looking at the chips themselves.

Part of the output was also a link to a website, yet even with google translate the site left me guessing as to what I wanted to download – there were a lot of possible options. I choose one near the top “Series master, the Alcor MPtool AU6987T/6989 Yasukuni, production tools (2011.12.26.00)” as the title matches some of the data in the ChipGenius dump. In the end the stability of the site, language barrier and my inability to successfully download anything sent me off down other paths.

I then ended up searching on flashboot.ru with the controller chip number (FC8708) I was able to find and download (with a bit of google translate help) a tool that recognized the drive. The best way to find this tool is searching it’s name: FC_MpTool_FC8308_FC8508_FC8406_04.02.01.

The user interface was mysterious, but clicking on the drive letter started a reformat.. which resulted in a 2GB flash drive. This newly formatted drive was quite happy under Linux.

In terms of performance, I benchmarked copying 7 x ~300MB video files (total 1.9GB) to the stick, this reported ~4.7MB/sec. There were certainly bursty updates in file file progress dialog in Ubuntu. This isn’t great, but again it was free and it works under Linux. I also tried zeroing the entire drive ($ sudo dd if=/dev/zero of=/dev/sdc) which reported: 2095054848 bytes (2.1 GB) copied, 335.285 s, 6.2 MB/s – again, not great but good enough.

A bit of heat shrink tubing applied to cover up the bare circuit board and I’ve got a hack worthy USB key.

Installing a custom ROM on the SGH-I727R

I’m a fan of running customized ROMs on my phone. There are three reasons: a) I like to tinker b) It provides added capability and longer currency for my phone c) I can get source for most of the code running on my phone. In this post I’ll talk about installing CyanogenMod 10, but a good part of this will be applicable to any after market ROM.

First I like to gather data about the state of the phone as it came to me. These details can all be found in the “About Phone” screen.

SGH-I727R Android 2.3.5 baseband I727RUXKJ7 Kernel 2.6.35.11 Gingerbread.RUXKJ7 IMEI XXXXXXXXXXXXXXX IMEI SV XX

I’ve omitted my actual IMEI, but you’ll want to record that as it is possible to accidentally wipe it out on some phones. Fortunately as this phone came to me in the actual retail box, the sticker on the box matched the details here too.

The next step is to spend some time reading up on how to modify the firmware (ROM) and how to restore to stock. I’ve said this before, but it’s worth saying again: there is a lot of mis-information out there about how to go about this. Primarily this is because people don’t really understand what they are doing and simply provide instructions that seemed to work for them, voodoo magic included. An example is this youtube video I came across – well, it does give you confidence that it can be done, but there is no need to root your phone before installing a custom recovery.

If you’ve done any searching at all, you’ll have come across the XDA Forums, I do recommend signing up and reading through the relevant forums. Learn to search for answers, and share what you do know with folks who don’t. The newb starting guide is a good place to start. Also since my primary target is CyanogenMod, usually a good place to start is with their wiki – however, in this case it wasn’t.

The first step is to get a custom recovery image installed. ClockWorkMod (CWM) is the preferred solution for CyanogenMod and I’m familiar with it. To install it we need a tool that will talk to the download mode of our phone, and we need to get our phone into download mode. The tool I prefer to use is heimdall, it worked well with my i9000 and it’s also friendly to Linux. The other option is Odin (download link), a Windows only tool.

To enter download mode, the Rogers version is slightly different than the AT&T version – only volume down needs to be held with power (not volume up & volume down).

If you are successful you should be greeted by a screen as per above. Now assuming the USB cable is attached we can start the tool to send down the custom recovery image.

Sadly this is where I went off the rails a little, it turns out the version of heimdall (1.3.1) I had didn’t quite support the protocol being used by this phone. Upgrading to a newer version did fix the connection problem, but then it failed in another way I can only assume is also related to the protocol.

$ sudo ../Heimdall/heimdall/heimdall flash --recovery recovery.img Heimdall v1.4 RC1

This software is provided free of charge. Copying and redistribution is encouraged.

If you appreciate this software and you would like to support future development please consider donating: http://www.glassechidna.com.au/donate/

Initialising connection... Detecting device... Claiming interface... Setting up interface...

Checking if protocol is initialised... Protocol is initialised.

Beginning session... Session begun.

In certain situations this device may take up to 2 minutes to respond. Please be patient!

Releasing device interface...

And that was it, my phone was busted.

I did try several times to recover using heimdall and failed. So it was off to Windows to use the Odin tool to fix things.

I initially tried to simply install a version of CWM and then proceed from there, but I made a few mistakes. 1) I didn’t have the right version of CWM, I can’t explain this but I do admit I was thrashing a little here. 2) I did have some partial successes which probably left things in a somewhat dubious state causing my grief later when I was doing the right things (see log below).

E:Can't open /cache/recovery/log E:Can't open /cache/recovery/log E:Can't open /cache/recovery/last_log E:Can't open /cache/recovery/last_log

The solution is to return to stock and start fresh. Thankfully Odin was quite happy to flash the stock version I got via XDA.

I did locate the correct version of CWM via the CM10 thread on XDA, I found the TeamChopsticks install guide quite helpful. Once I had the right mojo, things went smoothly.

Starting from stock Install recovery via Odin, boot into recovery Wipe & factory reset Format /system Flash CM10 nightly zip Flash google apps zip (optional) Reboot

I like to have SSHD running on my phone along with rsync to allow for nightly backups to happen. Unfortunately CM10 isn’t yet shipping with dropbear pre-installed, and the CM7 version doesn’t seem to be happy anymore. I’ve switched to using the DropBear SSH Server app, the one downside is that it doesn’t auto-start on boot. I’ve been in touch with the author and this is on his future feature list.

A few notes on setting up DropBear SSH Server. The very first run will ask you to grant it super user privileges, it needs these so you need to say yes. Once the first screen is all green, you can test the server – the default root password is 42. Once you’ve verified it’s working, we want to fix the password under settings. I use keyed logins, and the app does support importing keys from files – but only one key per file. Once you’ve setup some keys, you can disable password logins entirely.

In CM10 you’ll probably want to enable USB Storage under Settings->Storage, then press menu to bring up ‘USB computer connection’ where you can opt in for USB storage (it is off by default).

Somewhere during the set of events I managed to end up in a state where the Radio version reported in About Phone was ‘unknown’. Phone calls worked fine, and I ran a couple of days without noticing this. I did later reboot into recovery and install a more up to date radio/modem firmware (I727RUXLF3). While I was in recovery I initiated a backup which I can return to if things get really messed up, this is handy as it is stored on the external SD card and is available even if I’m not somewhere with a computer and need to fix the phone.

CM10 has a new over the air (OTA) update system, I used it for the first time tonight to move to the latest nightly. Very slick, but there didn’t seem to be an option to back-up my existing state.

So aside from a few heart stopping moments where my brand new phone was totally fubar‘d, this was overall a pretty typical experience with a new device. Plenty of little details to figure out, a few new tools to install/configure/learn and the excitement of new hardware (and software). I’m really pleased with the i727, the screen still feels really big (but not too big). It’s fast and the battery life is very good. Google Now also recently added the ability to enter calendar events, resolving one of the few things I found it couldn’t do – and yes, Google Now is pretty darn cool.

New Phone: Samsung Galaxy S2 LTE

Again I’m feeding my gadget habit by picking up a new to me phone. This time it turns out the phone is effectively brand new, it still had the factory plastic on the screen and came with the box and all new accessories. I’d been watching the local used phone market via kijiji for a while and this one popped up at a great price, I was lucky to be one of the first to respond with a firm offer to buy.

The phone model number is SGH-I727R and is locked to the Rogers network here in Canada. It is basically the same as the AT&T SGH-I727 model, this means there should be reasonable community support for 3rd party firmware (specifically CyanogenMod).

Even prior to purchase I usually do quite a bit of reading up on the potential of the device. While in general the technology upgrade is across the board, a couple stick in my head: 4.5″ AMOLED screen; 1.5GHz dual core; 8MP camera. Apparently this phone has the capability to be flashed over to work on AWS networks such as Wind, I doubt I’ll need this but it’s nice to have such a capable phone.

The first real hurdle I came across was unlocking the phone. I had seen enough material on the XDA Forums indicating that it wasn’t a big deal to unlock this model, but I had hoped it would be as easy as the i9000 was (a simple software patch). In the end I bought an unlock code via eBay, the price was very low and I had some amount of purchase protection through eBay in theory. I found the listing via a post on XDA by a member who’s quite active and has the same phone, this also increased my confidence that it was going work.

I made the eBay purchase at 8pm, there were several (I’m assuming) automated email responses pointing me at the website to submit my IMEI. In less than 6 hours I had an unlock code, I suspect if I had made the purchase at a more convenient time of day it would have been even quicker. Inserting my Fido SIM caused the phone to present the Network Lock Control Key screen, I was able to enter the 8 digit unlock code and unlock my phone. I don’t know, but I suspect that it may have requested the unlock over the mobile network, there was a few on screen messages indicating that it was ‘requesting’ the unlock. The unlock is persistent across firmware upgrades, and appears to be for all SIMs based on my testing.

In the hope that I could help identify a software only unlock, I did a little poking around on the stock firmware. In order to do this poking, it was necessary to gain root. I did this using the zergRush exploit. I was glad that I had a copy of zergRush cached away, as the file linked by the XDA post wasn’t available.

You will need adb installed and setup on your computer and communicating with the phone (you might need to turn on adb support under Menu->Applications->Development->USB debugging), assuming you’ve got that sorted out using zergRush is quite easy:

adb push zergRush /data/local adb shell cd /data/local chmod 755 zergRush

Now when you run zergRush you’ll see something like:

$ ./zergRush
[**] Zerg rush - Android 2.2/2.3 local root [**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00000118 [+] Found a Samsung, running Samsung mode [*] Scooting ... [*] Sleeping a bit (~40s)... [*] Waking ! [*] Sending 149 zerglings ... [*] Sleeping a bit (~40s)... [*] Waking ! [*] Sending 189 zerglings ... [+] Zerglings found a way to enter ! 0x18 [+] Overseer found a path ! 0x00030730 [*] Sleeping a bit (~40s)... [*] Waking ! [*] Sending 189 zerglings ... [+] Overseer found a path ! 0x000307f8 [*] Sleeping a bit (~40s)... [*] Waking ! [*] Sending 189 zerglings ... [+] Zerglings caused crash (good news): 0x40322cd4 0x0074 [*] Researching Metabolic Boost ... [+] Speedlings on the go ! 0xafd19b63 0xafd3975f [*] Sleeping a bit (~40s)... [*] Waking ! [*] Sending 181 zerglings ...
[+] Rush did it ! It's a GG, man ! [+] Killing ADB and restarting as root... enjoy!

Now when you connect again with adb you’ll be in a root shell. Now with full access to all of the files, I copied some of them down in the hope of spotting a change to one that controlled the locked state. Exploring the filesystem it seems that the i727 phone doesn’t have a nv_ram.bin file, nor were any of the potential candidates modified by the unlocking process. This was a failed experiment, but still fun to try. I will note that zergRush does leave the phone in a pretty sick state – UI is very, very sluggish – you’ll want to reboot as soon as you’re done messing around.