Phone and firmware manipulation guide

This is a guide for dealing with binary data from phones. Different types of phones handle resources differently, thus, several programs exist for handling binary data from different phones.

Note that some older software, such as P2K tools, certain serial drivers, and ResMan, work most reliably on Windows XP. Usually, this can be taken care of by running the software in a Virtual Machine, using a program such as Oracle VirtualBox. However, in cases where software doesn't work or USB devices can't be routed to the VM, having a physical Windows XP computer to use normally works best, if all else fails.

Due to licensing restrictions, we are not able to provide direct download links to every program mentioned in this article.

= General file extraction = The firmware of many older cell phones is in a self-contained .bin file that contains all the graphics, sounds, and software. Resources can be extracted from .bin files using WinRipper and MultiExtractor. Most sequenced ringtones can be extracted using ToneSniffer.

Note about 'Box' firmware formats
Firmwares dumped from 'Box' programs (Octoplus box, FuriousGold, Infinity Box, SigmaKey, etc) are about as good as useless for ripping contents as these tend to be encrypted.

Generally speaking, 'Box' firmware files can be identified if they are the same size or nearly the same size in compressed form. For example, if someone were to download a firmware for (phone), and the .7z file was 18.4MB, and the extracted file was also 18.4MB, chances are it's encrypted.

Work is being done to figure out the encryption methods used on these 'box' file formats as well as how to decrypt them, however.

= LG =

GSM (TI Calypso / Analog Devices)
TI Calypso-powered LG phones tend to have firmwares stored in .m0 or .mot. Both are Motorola S-record files, but are handled differently.

.m0 files can be converted to a working BIN file with mot2bin. Make sure to add -w before passing the file, or you'll get a BIN file with incorrect endian (causes raw bitmaps to look noisy or 'embossed', and makes tones unfindable by extraction utils).

For example, if someone was to convert an LG C1300 firmware file to BIN format, they would type the following:

.mot files can be converted to BIN format with sre2bin. Unlike .m0 files, you don't have to use any arguments to change the endianness.

Example:

(the name "alchemy" is included as most LG firmwares of this type are split into two files names AlchemyData and CodeData. AlchemyData contains almost all graphics and sounds)

Once you have the firmware in BIN format, you can use ToneSniffer to extract sounds and Image Search Editor to look for raw bitmap graphics.

GSM (MTK)
Certain MTK powered LG phones store their firmware files in .IM format. These are standard BIN files with 64 bytes of extra data added every 2048 bytes.

Most of the time they are stored in .KDZ files, which can be unpacked with either RevSkills or LGExtract.

Once you get the .IM file, you can use RevSkills's "Byte Cutter" tool to remove the extra 64 byte blocks. Open RevSkills, then go to Extraction -> Repair -> Byte Cutter.

The following settings should work with .IM files, as long as the first 64 byte block is located at 0x00000800:



From there, you can use MultiExtractor or another general purpose file extraction tool to extract content from the .CUT file that RevSkills generates.

Other (CAB/DZ/KDZ/WDB)
For newer LG phones (with firmware files that are .cab/.dz/.kdz/.wdb), there are 2 options.

.KDZ and .WDB files can be extracted with LGExtract, which outputs .bin files and an embedded filesystem.

RevSkills can also extract .cab/.dz/.kdz/.wdb files.

USB file transfer
When it comes to older LG GSM phones, it depends a lot on the model (we don't have enough information). Early GSM LG phones released in the US that are TI Calypso-powered lack USB support, so content cannot be transferred over USB.

Newer LG phones are more standardized, as they tend to use Qualcomm SoCs, so you can use BitPim or Revskills to interface with the embedded file system. With that being said, not all LG phones are Qualcomm SoC based so it's best to do research on the specific phone.

Qualcomm-powered
Most LG Qualcomm phones, GSM or CDMA, will work fine under the "LG VX5400" preset in BitPim. This has been tested and confirmed to work with LG models B470, CU720 Shine, and VN250 Cosmos.

Revskills is generally a more favorable option if you want faster transfer and batch exporting of all files in the EFS.

= MediaTek (MTK) phones =

Note about MTK firmware files
The firmware files found from MTK devices differ a lot depending on manufacturer and how they were dumped.

MTK firmware files may come as just a single BIN file, while others may be split into parts. Do note that some MTK firmware files are compressed, and this compression is not fully understood. If a firmware file for an MTK phone looks like nothing but random noise in a hex editor or white noise in an audio editor, it's either compressed or encrypted from some sort of box software.

USB file transfer
This also depends from manufacturer but these kinds of phones usually show up as a mass storage device when plugged into a computer. = Motorola = Note that although 64-bit Motorola P2K drivers exist, P2K software (i.e. P2Kman, P2KCommander, and P2KTools) seems to be most stable on Windows XP.

P2K Patriot/Neptune LT
The code groups of old-style Motorola flash files are stored with what appears to be DES encryption.

Here are some examples of 64-bit DES blocks and original data:

29 C3 4B 32 38 0C D1 66 (DES) 00 00 00 00 00 00 00 00 (Original)

BF 54 9E D0 44 EA 11 A9 00 00 01 02 03 FF 00 03

EF C8 3D 16 ED 47 46 A3 55 7E 03 12 E0 7F 01 00

17 06 E9 01 8E E2 75 4E 00 11 01 D8 4C 11 03 FF

EC 7A D5 2F 64 DD 66 A1 FF FF FF FF FF FF FF FF

01 8A 16 0D 7D 41 D2 F8 FF 10 01 00 00 10 32 D4

6B 48 7F 0D 85 95 B5 F0 FF 10 00 80 00 10 00 DF

2D FA 3C D6 69 2F 07 08 FF 10 32 B4 28 10 38 FF

USB file transfer
The "file system" of old-style P2K phones is one single root directory with no sub-folders. P2Kman can manage the files and seems of these phones.

P2K Neptune LTE/LTE2/3G; P2K05
The majority of Motorola P2K firmware files are in Motorola .shx format. It is a type of S-record format and can be split into code groups using SHXCodec. An alternative program that can also split SHX files into the necessary code groups is RandomSHX. This program generally seems to work when SHXCodec doesn't.

The firmware of some later P2K phones are in Motorola .sbf format, and can be split using SBF-Recalc.

The "flex file" (CG2.smg) is the file system of the phone and normally can be extracted using FlexParser04.

USB file transfer
Most common P2K phones support PC synchronization using Motorola Phone Tools, but P2KCommander and P2KTools can both be used to interface with the phone directly and modify the file system, seems, and settings.

CDMA Phones
Generally speaking, P2K tools do not work with CDMA based Motorola phones, as they use a different architecture.

Usually, RandomSHX will work fine for splitting these CDMA .shx files. SHXCodec may work as well, but generally there are inconsistencies between the GSM P2K and CDMA .shx files that it will give an error (such as CRC mismatch).

USB file transfer
USB transfer between CDMA Motorola phones isn't always consistent. BitPim works best most of the time, as it's a general purpose Qualcomm CDMA phone modification tool, but sometimes certain files will be 'locked', meaning you can't save them or they are set to read only.

Some certain Motorola phones do work with very specific versions of P2KCommander, such as version 4.9D. If a phone can be used with this program, it's best to use that instead as it bypasses any 'locked' files you may encounter when using BitPim.

Note that some older Motorola CDMA devices (such as the E815) have EFS reading blocked by default. To bypass this, a specific seem in the phone needs to be edited. The method will be posted here once it is proved working.

EZX/MotoMagx
EZX was Motorola's mobile Linux OS. EZXCodec is capable of splitting the code groups of these phones' firmwares.

They will usually have several different "drives" as code groups in SquashFS format. They contain the header "hsqs" and can be extracted using 7-zip.

EZXCodec can also be used to extract filesystems from EZX phones.

= Samsung =

.s3 to .bin conversion
Firmware files downloaded from Agere-platform Samsung phones are in S-record format and can be converted to .bin with any program that converts S-record to .bin.

There are many programs that do this, but arguably the best one is sre2bin. This program is included with some versions of OptiFlash, which is an in-house tool used by Samsung to flash firmware to Agere-platform handsets.

AMSS decryption
The AMSS file (usually called amss.bin, amss.mbn, apps_compressed.bin, etc.) can be decrypted using RevSkills.

File system extracting
Many firmware dumps of Qualcomm-powered Samsung phones include a .ffs file. This is usually a FAT16 disk file and can be extracted using either RevSkills or TestDisk, but the latter works more consistently.

If the filesystem is not a standard FAT16 image, it can be extracted with |Samsung GeeXtractor. This program was made for older SGH-Z series phones that store everything as .bin files, but it should work fine with most newer Qualcomm Samsung feature phone firmwares as well.

Samsung GeeXtractor can also extract the content of most .rc1 files.

Firmware Editing
There are a few tools that work very well with one another to edit older Samsung phone firmware. Those programs being FWEditor, Image Search Editor, and ResMan.

FWEditor can be used to find raw bitmap images in firmware. It gives the appropriate hex location of whatever you're looking at, and this can be put inside of a ResMan .rxt file. Its one main advantage over Image Search Editor is that it can display 09-compressed images.

Image Search Editor also can be used to find raw bitmap images, and it's generally better to use when compared to FWeditor as it has more bit-per-pixel and color palette settings, and scrolling through firmware takes much less time. You can also instantly save what you are looking at to a .bmp without having to take and crop a screenshot.

ResMan can also open .tfs files and convert .icn and .ifg files to .bmp format. For newer Samsung phones, it's better to use a different program.

Making .RXT files for ResMan

IFG Images
Stated in the previous section, ResMan can view .tfs files and extract/convert .icn and .ifg files to .bmp format.

There are 2 programs that are better suited for this and can run on modern versions of Windows, those tools being TFS_Res and IFG_RW. IFG_RW is useful for batch converting .ifg to .bmp, and it also has a feature called "Search IFG in firmware" where it does a Multiextractor-like scan for .ifg files, and outputs them to a folder. From there you can batch convert them to .bmp (although it seems to have problems if there are more than 4000 .ifg files in a single folder).

TFS_Res is used for extracting the contents of .tfs files.

USB file transfer
For GSM phones, you can use Samsung PC Studio PIM & File Manager. Just find the appropriate port number, select it in the program, and it will automatically load whatever it can.

Samsung New PC Studio exists too, but only works on modern Windows with modifications to system files. If you really want to run NPS on Windows 8 and above, you need to replace Flash.ocx in "C:\Windows\SysWOW64\Macromed\Flash" with the same file copied from 64-bit Windows 7.

For CDMA phones, Revskills usually works well. Some phones may require you to enter the SP code, MSL, or both in order to access the EFS, though.

= Ericsson/Sony Ericsson =

Ericsson R320s OS
Ericsson phones since the R320s, up until the Sony Ericsson Z600 or so, are based on the same core OS. The main firmware and GDFS files are in .sbn format. Currently, the only tool to deal with .sbn files is wackypack's sbn2bin Python program.

USB PIM/file transfer
Most Ericsson R320s-based phones support some form of serial communication. The DCU-11 cable or DSS-25 docking station can be used to interface with the phone's serial connection over USB. Note that the DCU-11 cable cannot be used to modify the flash files of the phone, without being modified.

floAt's Mobile Agent can be used for PIM features and to send files to Ericsson platform phones.