I have done an extended analysis of the FFU file of Windows Mobile 10 for Xiaomi Mi4.
The partition layout is not the same from Android and Windows Phone. But, some partitions have the same starting LBA, ending LBA and size so they are at the same location and have the same size in both partition layouts. Because the FFU doesn't contain data blocks to write in these partitions, we can assume they stay intact during the update from Android to Windows Mobile.
This way I found out that 5 partitions are kept from Android, 13 are written with data and 6 are nulled (content is all zeroes):
Regarding the partitions which are in the FFU file, here are all the information I gathered about them:
"SBL1" is a SBL (Secondary Boot Loader) file with a 80 bytes header
The file is not signed (no signature and no certificate chain).
Codeword[4]: d1dc4b84
Magic[4]: 3410d773
Image ID[4]: 15000000 (SBL1_IMG)
Reserved 1[4]: ffffffff
Reserved 2[4]: ffffffff
Image source[4]: 50000000
Image destination pointer[4]: 00c000f8 (4160798720)
Image size[4]: f8480400
Code size[4]: f8480400
Signature pointer[4]: f80805f8 (4161079544)
Signature size[4]: 00000000 (0)
Certificate chain pointer[4]: f80805f8 (4161079544)
Certificate chain size[4]: 00000000 (0)
OEM root certificate selelected[4]: 01000000
OEM number of root certificates[4]: 01000000
Booting image config[4]: ffffffff
Reserved 6[4]: ffffffff
Reserved 7[4]: ffffffff
Reserved 8[4]: ffffffff
Reserved 9[4]: ffffffff
"UEFI_BS_NV" is an empty partition
"UEFI_RT_NV" is an empty partition
"UEFI" is probably an ARM binary file with a 40 bytes header
The file is not signed (no signature and no certificate chain).
Image ID[4]: 05000000 (APPSBL_IMG)
Flash partition version[4]: 03000000
Image source[4]: 00000000
Image destination pointer[4]: 00002000 (2097152)
Image size[4]: 00800d00
Code size[4]: 00800d00
Signature pointer[4]: 00802d00 (2981888)
Signature size[4]: 00000000 (0)
Certificate chain pointer[4]: 00802d00 (2981888)
Certificate chain size[4]: 00000000 (0)
"PADDING0" is an empty partition
"DPP" is a FAT partition
"DBI" is probably an ARM binary file with a 40 bytes header
The file is not signed (no signature and no certificate chain).
Image ID[4]: 1e000000
Flash partition version[4]: 03000000
Image source[4]: 00000000
Image destination pointer[4]: 000080fe (4269801472)
Image size[4]: 982d0000
Code size[4]: 982d0000
Signature pointer[4]: 982d80fe (4269813144)
Signature size[4]: 00000000 (0)
Certificate chain pointer[4]: 982d80fe (4269813144)
Certificate chain size[4]: 00000000 (0)
"RPM" is an ARM ELF (Executable and Linkable Format) file
Class: ELF32
Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 91001000
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 0400
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000
"TZ" is an ARM ELF (Executable and Linkable Format) file
Class: ELF32
Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 000081fe
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 1000
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000
"WINSECAPP" is an ARM ELF (Executable and Linkable Format) file
Class: ELF32
Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 0090fe07
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 0400
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000
"TZAPPS" is a FAT partition
"BACKUP_TZAPPS" is an empty partition
"MODEM_FS2" is an empty partition
"MODEM_FSC" is an empty partition
"PLAT" is a FAT partition
"EFIESP" is a FAT partition
"MMOS" is a FAT partition
"MainOS" is a NTFS partition
-> Boot sector backup at offset 2566913536 match the boot sector from sector 0
"Data" is a NTFS partition
-> Boot sector backup at offset 7899971072 match the boot sector from sector 0
The partition layout is not the same from Android and Windows Phone. But, some partitions have the same starting LBA, ending LBA and size so they are at the same location and have the same size in both partition layouts. Because the FFU doesn't contain data blocks to write in these partitions, we can assume they stay intact during the update from Android to Windows Mobile.
This way I found out that 5 partitions are kept from Android, 13 are written with data and 6 are nulled (content is all zeroes):
Code:
+-----+-----------+-----------+--------+-----------------+---------+-------------------+
+ # | Start LBA | End LBA | Size | Name | In FFU | Status |
+-----+-----------+-----------+--------+-----------------+---------+-------------------+
| 0| 1024| 2047| 1024|SBL1 | Yes | Written |
| 1| 2048| 2559| 512|UEFI_BS_NV | Yes | Nulled |
| 2| 3072| 3583| 512|UEFI_RT_NV | Yes | Nulled |
| 3| 4096| 8191| 4096|UEFI | Yes | Written |
| 4| 8192| 10239| 2048|DDR | | Kept from Android |
| 5| 10240| 12287| 2048|SSD | | Kept from Android |
| 6| 12288| 14335| 2048|PADDING0 | Yes | Nulled |
| 7| 14336| 30719| 16384|DPP | Yes | Written |
| 8| 30720| 30783| 64|DBI | Yes | Written |
| 9| 31744| 32743| 1000|RPM | Yes | Written |
| 10| 32768| 33767| 1000|TZ | Yes | Written |
| 11| 33792| 34815| 1024|WINSECAPP | Yes | Written |
| 12| 34816| 67583| 32768|TZAPPS | Yes | Written |
| 13| 67584| 68607| 1024|BACKUP_SBL1 | | |
| 14| 68608| 68671| 64|BACKUP_DBI | | |
| 15| 69632| 73727| 4096|BACKUP_UEFI | | |
| 16| 73728| 74727| 1000|BACKUP_RPM | | |
| 17| 74752| 75751| 1000|BACKUP_TZ | | |
| 18| 75776| 76799| 1024|BACKUP_WINSECAPP | | |
| 19| 76800| 109567| 32768|BACKUP_TZAPPS | Yes | Nulled |
| 20| 109568| 117759| 8192|MMOS | Yes | Written |
| 21| 117760| 131071| 13312|PADDING1 | | |
| 22| 131072| 134143| 3072|MODEM_FS1 | | Kept from Android |
| 23| 134144| 137215| 3072|MODEM_FS2 | Yes | Nulled |
| 24| 137216| 137247| 32|MODEM_FSC | Yes | Nulled |
| 25| 138240| 154623| 16384|PLAT | Yes | Written |
| 26| 154624| 220159| 65536|EFIESP | Yes | Written |
| 27| 220160| 262143| 41984|PADDING2 | | |
| 28| 262144| 265215| 3072|MODEM_FSG | | Kept from Android |
| 29| 265216| 491519| 226304|PADDING3 | | |
| 30| 491520| 524287| 32768|PERSIST | | Kept from Android |
| 31| 524288| 5537791| 5013504|MainOS | Yes | Written |
| 32| 5537792| 20967423|15429632|Data | Yes | Written |
+-----+-----------+-----------+--------------------------+---------+-------------------+ "SBL1" is a SBL (Secondary Boot Loader) file with a 80 bytes header
The file is not signed (no signature and no certificate chain).
Codeword[4]: d1dc4b84
Magic[4]: 3410d773
Image ID[4]: 15000000 (SBL1_IMG)
Reserved 1[4]: ffffffff
Reserved 2[4]: ffffffff
Image source[4]: 50000000
Image destination pointer[4]: 00c000f8 (4160798720)
Image size[4]: f8480400
Code size[4]: f8480400
Signature pointer[4]: f80805f8 (4161079544)
Signature size[4]: 00000000 (0)
Certificate chain pointer[4]: f80805f8 (4161079544)
Certificate chain size[4]: 00000000 (0)
OEM root certificate selelected[4]: 01000000
OEM number of root certificates[4]: 01000000
Booting image config[4]: ffffffff
Reserved 6[4]: ffffffff
Reserved 7[4]: ffffffff
Reserved 8[4]: ffffffff
Reserved 9[4]: ffffffff
"UEFI_BS_NV" is an empty partition
"UEFI_RT_NV" is an empty partition
"UEFI" is probably an ARM binary file with a 40 bytes header
The file is not signed (no signature and no certificate chain).
Image ID[4]: 05000000 (APPSBL_IMG)
Flash partition version[4]: 03000000
Image source[4]: 00000000
Image destination pointer[4]: 00002000 (2097152)
Image size[4]: 00800d00
Code size[4]: 00800d00
Signature pointer[4]: 00802d00 (2981888)
Signature size[4]: 00000000 (0)
Certificate chain pointer[4]: 00802d00 (2981888)
Certificate chain size[4]: 00000000 (0)
"PADDING0" is an empty partition
"DPP" is a FAT partition
"DBI" is probably an ARM binary file with a 40 bytes header
The file is not signed (no signature and no certificate chain).
Image ID[4]: 1e000000
Flash partition version[4]: 03000000
Image source[4]: 00000000
Image destination pointer[4]: 000080fe (4269801472)
Image size[4]: 982d0000
Code size[4]: 982d0000
Signature pointer[4]: 982d80fe (4269813144)
Signature size[4]: 00000000 (0)
Certificate chain pointer[4]: 982d80fe (4269813144)
Certificate chain size[4]: 00000000 (0)
"RPM" is an ARM ELF (Executable and Linkable Format) file
Class: ELF32
Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 91001000
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 0400
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000
"TZ" is an ARM ELF (Executable and Linkable Format) file
Class: ELF32
Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 000081fe
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 1000
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000
"WINSECAPP" is an ARM ELF (Executable and Linkable Format) file
Class: ELF32
Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 0090fe07
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 0400
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000
"TZAPPS" is a FAT partition
"BACKUP_TZAPPS" is an empty partition
"MODEM_FS2" is an empty partition
"MODEM_FSC" is an empty partition
"PLAT" is a FAT partition
"EFIESP" is a FAT partition
"MMOS" is a FAT partition
"MainOS" is a NTFS partition
-> Boot sector backup at offset 2566913536 match the boot sector from sector 0
"Data" is a NTFS partition
-> Boot sector backup at offset 7899971072 match the boot sector from sector 0
from xda-developers http://ift.tt/22D0mLX
via IFTTT
Aucun commentaire:
Enregistrer un commentaire