Phone and firmware manipulation guide

This is a guide for dealing with binary data from phones. Different types of phones handle resources differently, thus, several programs exist for handling binary data from different phones.

Note that some older software, such as P2K tools, certain serial drivers, and ResMan, work most reliably on Windows XP. Usually, this can be taken care of by running the software in a Virtual Machine, using a program such as Oracle VirtualBox. However, in cases where software doesn't work or USB devices can't be routed to the VM, having a physical Windows XP computer to use normally works best, if all else fails.

Due to licensing restrictions, we are not able to provide mirrors to every program mentioned in this article.

= General file extraction = The firmware of many older cell phones is in a self-contained .bin file that contains all the graphics, sounds, and software. Resources can be extracted from .bin files using WinRipper and MultiExtractor. Most sequenced ringtones can be extracted using MTEX.

Note about 'Box' firmware formats
Firmwares dumped from 'Box' programs (Octoplus box, FuriousGold, Infinity Box, SigmaKey, etc) are about as good as useless for ripping contents as these tend to be encrypted.

Generally speaking, 'Box' firmware files can be identified if they are the same size or nearly the same size in compressed form. For example, if someone were to download a firmware for (phone), and the .7z file was 18.4MB, and the extracted file was also 18.4MB, chances are it's encrypted.

Work is being done to figure out the encryption methods used on these 'box' file formats as well as how to decrypt them, however.

= LG =

General Purpose
For older LG phones (with firmware files that are .MOT), the Samsung oriented FWEditor and ResMan can be used, as they store graphics as raw bitmaps, and .MOT files can be converted to .bin using the built in .s3 converter.

For newer LG phones (with firmware files that are .cab/.dz/.kdz/.wdb), there are 2 options.

.KDZ and .WDB files can be extracted with LGExtract, which outputs .bin files and an embedded filesystem.

RevSkills can also extract .cab/.dz/.kdz/.wdb files.

USB file transfer
When it comes to older LG GSM phones, it depends a lot on the model.

Newer LG phones are more standardized, as they tend to use Qualcomm SoCs, so you can use BitPim to interface with the embedded file system. With that being said, not all LG phones are Qualcomm SoC based so it's best to do research on the specific phone.

Most LG Qualcomm phones, GSM or CDMA, will work fine under the "LG VX5400" preset in BitPim. This has been tested and confirmed to work with LG models B470, CU720 Shine, and VN250 Cosmos. = MediaTek (MTK) powered phones =

Note about MTK firmware files
The firmware files found from MTK devices differ a lot depending on manufacturer and how they were dumped.

USB file transfer
This also depends from manufacturer but these kinds of phones usually show up as a mass storage device when plugged into a computer. = Motorola = Note that although 64-bit Motorola P2K drivers exist, P2K software (i.e. P2Kman, P2KCommander, and P2KTools) seems to be most stable on Windows XP.

P2K Patriot/Neptune LT
The code groups of old-style Motorola flash files are stored with what appears to be DES encryption.

Here are some examples of 64-bit DES blocks and original data:

29 C3 4B 32 38 0C D1 66 (DES) 00 00 00 00 00 00 00 00 (Original)

BF 54 9E D0 44 EA 11 A9 00 00 01 02 03 FF 00 03

EF C8 3D 16 ED 47 46 A3 55 7E 03 12 E0 7F 01 00

17 06 E9 01 8E E2 75 4E 00 11 01 D8 4C 11 03 FF

EC 7A D5 2F 64 DD 66 A1 FF FF FF FF FF FF FF FF

01 8A 16 0D 7D 41 D2 F8 FF 10 01 00 00 10 32 D4

6B 48 7F 0D 85 95 B5 F0 FF 10 00 80 00 10 00 DF

2D FA 3C D6 69 2F 07 08 FF 10 32 B4 28 10 38 FF

USB file transfer
The "file system" of old-style P2K phones is one single root directory with no sub-folders. P2Kman can manage the files and seems of these phones.

P2K Neptune LTE/LTE2/3G; P2K05
The majority of Motorola P2K firmware files are in Motorola .shx format. It is a type of S-record format and can be split into code groups using SHXCodec. An alternative program that can also split SHX files into the necessary code groups is RandomSHX. This program generally seems to work when SHXCodec doesn't.

The firmware of some later P2K phones are in Motorola .sbf format, and can be split using SBF-Recalc.

The "flex file" (CG2.smg) is the file system of the phone and normally can be extracted using FlexParser04.

USB file transfer
Most common P2K phones support PC synchronization using Motorola Phone Tools, but P2KCommander and P2KTools can both be used to interface with the phone directly and modify the file system, seems, and settings.

CDMA Phones
Generally speaking, P2K tools do not work with CDMA based Motorola phones, as they use a different architecture.

Usually, RandomSHX will work fine for splitting these CDMA .shx files. SHXCodec may work as well, but generally there are inconsistencies between the GSM P2K and CDMA .shx files that it will give an error (such as CRC mismatch).

USB file transfer
USB transfer between CDMA Motorola phones isn't always consistent. BitPim works best most of the time, as it's a general purpose Qualcomm CDMA phone modification tool, but sometimes certain files will be 'locked', meaning you can't save them or they are set to read only.

Some certain Motorola phones do work with very specific versions of P2KCommander, such as version 4.9D. If a phone can be used with this program, it's best to use that instead as it bypasses any 'locked' files you may encounter when using BitPim.

Note that some older Motorola CDMA devices (such as the E815) have EFS reading blocked by default. To bypass this, a specific seem in the phone needs to be edited. The method will be posted here once it is proved working.

MotoMagx
MotoMagx was Motorola's mobile Linux OS. EZXCodec is capable of splitting the code groups of these phones' firmwares.

They will usually have several different "drives" as code groups in SquashFS format. They contain the header "hsqs" and can be extracted using 7-zip.

EZXCodec can also be used to extract filesystems from MotoMagx phones.

= Samsung =

.s3 to .bin conversion
Firmware files downloaded from Agere-platform Samsung phones are in S-record format and can be converted to .bin with any program that converts S-record to .bin.

There are many programs that do this, but arguably the best one is sre2bin. This program is included with some versions of OptiFlash, which is an in-house tool used by Samsung to flash firmware to Agere-platform handsets.

AMSS decryption
The AMSS file (usually called amss.bin, amss.mbn, apps_compressed.bin, etc.) can be decrypted using RevSkills.

File system extracting
Many firmware dumps of Qualcomm-powered Samsung phones include a .ffs file. This is usually a FAT16 disk file and can be extracted using either RevSkills or TestDisk, but the latter works more consistently.

Firmware Editing
There are 2 tools that work very well with one another to edit older Samsung phone firmware. Those programs being FWEditor and ResMan.

FWEditor can be used to find raw bitmap images in firmware. It gives the appropriate hex location of whatever you're looking at, and this can be put inside of a ResMan .rxt file.

ResMan can also open .tfs files and convert .icn and .ifg files to .bmp format. For newer Samsung phones, it's better to use a different program.

Making .RXT files for ResMan

IFG Images
Stated in the previous section, ResMan can view .tfs files and extract/convert .icn and .ifg files to .bmp format.

There are 2 programs that are better suited for this and can run on modern versions of Windows, those tools being TFS_Res and IFG_RW. IFG_RW is useful for batch converting .ifg to .bmp, and it also has a feature called "Search IFG in firmware" where it does a Multiextractor-like scan for .ifg files, and outputs them to a folder. From there you can batch convert them to .bmp (although it seems to have problems if there are more than 4000 .ifg files in a single folder).

TFS_Res is used for extracting the contents of .tfs files.

USB file transfer
For GSM phones, you can use Samsung PC Studio PIM & File Manager. Just find the appropriate port number, select it in the program, and it will automatically load whatever it can.

Samsung New PC Studio exists too, but only works on modern Windows with modifications to system files. If you really want to run NPS on Windows 8 and above, you need to replace Flash.ocx in "C:\Windows\SysWOW64\Macromed\Flash" with the same file copied from 64-bit Windows 7.

For CDMA phones, BitPim usually works.

= Ericsson/Sony Ericsson =

Ericsson R320s OS
Ericsson phones since the R320s, up until the Sony Ericsson Z600 or so, are based on the same core OS. The main firmware and GDFS files are in .sbn format. Currently, the only tool to deal with .sbn files is wackypack's sbn2bin Python program.

USB PIM/file transfer
Most Ericsson R320s-based phones support some form of serial communication. The DCU-11 cable or DSS-25 docking station can be used to interface with the phone's serial connection over USB. Note that the DCU-11 cable cannot be used to modify the flash files of the phone, without being modified.

floAt's Mobile Agent can be used for PIM features and to send files to Ericsson platform phones.