The Nokia Firmware File-Format

[writz]

Seems there exists some confusion here...
The CORE is the fw file (the .fpsx file)
It contains: BootLoader + ROM + ROFS1 + OtherStuffThatIDon'tKnow
So, it makes no sense to ask if a file is contained in the CORE or in the ROFS1... Maybe you mean ROM or ROFS1?

Yes I meant ROM[not CORE]

In any case, if it has iFileAddress = 0xFFFFFFFF you MUST hide it regardless if it is contained in the ROM or in the ROFS1.
Otherwise, if you don't hide it, it will be visible on the device (and will be taken in consideration by the OS of course) while, when using the original fw, that file will not be visible in the device.

I am transferring all the files from rofs1 to rofs2.....OK..
But When I transfer all the files,all the stubs and the other Resource...etc files comes to the rofs2.....So NC will use "data=" command for them......but As of the original rofs2....the files from the rofs1 are hidden by the iFileAddress......And while Repack RofsBuild will show error of Duplicate Entry.....
So will I hide it or Not hide it.......
Or Will I have to left that file in the ROFS1......

[writz]

Is it needed to Unlock rofs1[Rofs Calibration] before editing partition info?
If yes how to do it?
Means.......What Values to Use.....
I am Using :
ROFS1 : 2C
ROFS2 : 2B
ROFS3 : 2B


Will it work?

EDIT :
Used :
ROFS1 : 2C
ROFS2 : 2A
ROFS3 : 2A
Successful!

[kamy_wfa]

thank for your support

[rem_dm]

Hi,
if you can manage to edit rom [not rofs] size or disable rom modification checking in the core header (checked by flashing softz and phone) just like what had done for rofs1 editing or the old pnht method for trimming rofs1 from core and making rofs2 large enough (110mb) used for numerous cfw and n97/c6 porting in case of nokia 5800/5530... then there would be a very good news that I had created/edited Rom image (not rofs) a long time ago....but didn't checked flashing as there were other porting projects.
it would open a new door to customize rom (for clarity not just the editable rofs images these days but rom image also like i8910hd omnia ) image in the core to be modded.

anything that I experimented and found about the firmware (rofs/rom or core) will share with you in future...
I just don't have much time besides my studies now a days

there is no danger associated with the rom image testing even if something goes wrong it can be dead usb flashable cause the bootloader is on the upper section of the rom section of core image.I will share my findings as much as possible in the next couple of days.As I don't have time to experiment with those anymore then those would be a wast if not shared

[dawidk09]

rem_dm
welcome back:) good to see you again:)

[vizhigal]

Quote

EDIT :
Used :
ROFS1 : 2C
ROFS2 : 2A
ROFS3 : 2A
Successful!

Un quote

Below is the details of the partition table first line using some tools and some core files.

5401170E 000300D3 8A010000 04000008 00006C00  OFW core file ( RM-356 )
5401170E 00030059 97010000 04000008 0000D900  BINh core file

5401170E 000300D3 8A010000 04000008 00006C00  OFW core file ( RM-356 )
5401170E 0003006B 45010000 04000008 00001900  YBBKF core file ( RM-356 )

5401170E 000300D3 8A010000 04000008 00006C00  OFW core file ( RM-356 )
5401170E 00030049 91010000 04000008 0000EF00  CERT-CHECK TOOL


5401170E 000300D3 8A010000 04000008 00006C00  OFW core file ( RM-356 )
5401170E 0003004A 90010000 04000008 0000EF00  PNHT core file ( RM-356 )

5401170E 000300D3 8A010000 04000008 00006C00  OFW core file ( RM-356 )
5401170E 000300D3 8B010000 04000008 00006D00  DOCTORLY TOOL ( All 2A options )
5401170E 000300D3 8D010000 04000008 00006900  DOCTORLY  TOOL ( All 2B options )
5401170E 000300D3 8A010000 04000008 00006B00  DOCtorly-TOOL (All 2C options )


You may notice that the changes are taking place in 9th and 19 th byte when the sector is changing.


@ Socio

Please explain  how the changes effected in the core partition table when we change the sectors A,B & C

[Il.Socio]

I am transferring all the files from rofs1 to rofs2.....OK..
But When I transfer all the files,all the stubs and the other Resource...etc files comes to the rofs2.....So NC will use "data=" command for them......but As of the original rofs2....the files from the rofs1 are hidden by the iFileAddress......And while Repack RofsBuild will show error of Duplicate Entry.....
So will I hide it or Not hide it.......
Or Will I have to left that file in the ROFS1......

Interesting question...
The safest way is to left these files in the ROFS1 and not move them to the ROFS2, so will be properly hidden when you rebuild the ROFS1.

the ContentChecksum 0x0102 is computed as follow:
the 0x01 is the LRC of the odd bytes of the content
the 0x02 is the LRC of the pair bytes of the content

could you provide some small example for how those two words can be calculated, i'm getting confused about LRC of the odd bytes and LRC of the pair bytes of content

LRC: http://en.wikipedia.org/wiki/Longitudinal_redundancy_check

Let's suppose we have these contents bytes: 78 AB 29 11 22
LRC of the odd bytes = 78 ^ 29 ^ 22 = 73
LRC of the pair bytes = AB ^ 11 = BA
ContentChecksum = 0x73BA

if you can manage to edit rom [not rofs] size or disable rom modification checking in the core header (checked by flashing softz and phone)

To be honest, I don't think it will be possible because much probably, it is protected with RSA1024 digital signature, but at least I would like to understand:
1) where is located the digital signature.
2) where stats/ends the protected data
3) where is located the public key.
In order to be able to verify if the signature is valid or not.

And currently, the hardest challenge is the lack of information about the contents of the 0x5D Blocks
I'm trying to collect some new info, but it is a long task and got poor results for now.

I had created/edited Rom image (not rofs) a long time ago....

I did it too only need to integrate the RP+ engine in NC.
Thank you anyway for your offer, it is really appreciated!
And it is really hard to find someone who wants to contribute to this project... you're one in a million!

5401170E 00030049 91010000 04000008 0000EF00  CERT-CHECK TOOL

I don't know this tool. Where can I find it? I'd like to give it a look...

Please explain  how the changes effected in the core partition table when we change the sectors A,B & C

For example, take a look at your post here:
http://forum.dailymobile.net/index.php?topic=55242.msg732086#msg732086
534F532B524F4653 31000000 00001007 0000FE01  000000000000000000000000  SOS+ROFS1
ROFS1 has 2B value and if you change it to 2C it will became:
534F532C524F4653 31000000 00001007 0000FE01  000000000000000000000000  SOS,ROFS1

If you wanted to ask why that change removes the protection, unfortunately, the truth is that I don't know why... (and moreover, I don't know if it can bring some side-effects)
I also asked the same question to doctorly, but he don't know it either, he just implemented some stuff that has been discovered by others.
Seems that some other chinese guy discovered it and probably he has a better knowledge on this matter, but I don't know where to find him...
It could be helpful if we could find that guy and ask him directly.

[writz]

Interesting question...
The safest way is to left these files in the ROFS1 and not move them to the ROFS2, so will be properly hidden when you rebuild the ROFS1.
LRC: http://en.wikipedia.org/wiki/Longitudinal_redundancy_check

Let's suppose we have these contents bytes: 78 AB 29 11 22
LRC of the odd bytes = 78 ^ 29 ^ 22 = 37
LRC of the pair bytes = AB ^ 11 = BA
ContentChecksum = 0x37BA
Probably, it will not be possible due to RSA1024 digital signature, but at least I would like to understand:
1) where is located the digital signature.
2) where stats/ends the protected data
3) where is located the public key.
In order to be able to verify if the signature is valid or not.

But, currently the hardest challenge is the lack of information about the contents of the 0x5D Blocks
I'm trying to collect some new info, but it is a long task and got poor results for now.
I did it too only need to integrate the RP+ engine in NC.
Thank you anyway for your offer, it is really appreciated!

I don't know this tool. Where can I find it? I'd like to give it a look...
For example, take a look at your post here:
http://forum.dailymobile.net/index.php?topic=55242.msg732086#msg732086
534F532B524F4653 31000000 00001007 0000FE01  000000000000000000000000  SOS+ROFS1
ROFS1 has 2B value and if you change it to 2C it will became:
534F532C524F4653 31000000 00001007 0000FE01  000000000000000000000000  SOS,ROFS1

If you wanted to ask why that change removes the protection, unfortunately, the truth is that I don't know why... (and moreover, I don't know if it can have some side-effects)
I also asked the same question to doctorly, but he don't know it either, he just implemented some stuff that has been discovered by others.
Seems that some other chinese guy discovered it and probably he has a better knowledge on this matter, but I don't know where to find him...
It could be helpful if we could find that guy and ask him directly.

+2[1 after 1 hour ] for everything......
But For Binh24 ROFS1 there is no other file present in the rofs1 than the credits....Confused........[I think he used Readimage]
About ReCalibration :
What change does it make if I change from 2B to 2C[other than '+' to ','].......

Let's suppose we have these contents bytes: 78 AB 29 11 22
LRC of the odd bytes = 78 ^ 29 ^ 22 = 37
LRC of the pair bytes = AB ^ 11 = BA

Will it be 73 or 37??
Not Sure!!!

[Il.Socio]

+2[1 after 1 hour ] for everything......
But For Binh24 ROFS1 there is no other file present in the rofs1 than the credits....Confused........[I think he used Readimage]

I agree with you. Probably he used ReadImage and he missed the hidden entries...
In some cases it can cause side-effects, while if you're lucky everything goes fine...

Will it be 73 or 37??
Not Sure!!!

You're right the correct value is 73... I made a typo-mistake fixed now.

[kamy_wfa]

@Socio

special thank for your explanation in checksum calculation

i have some questions with the structure of header of rm645_061.005_prd.core.fpsx; could you please provide some clues to explore the meaning of this header structure.

i attached screen_shots and also for txt file format contain this header (black_color part)


BRs
kamy

[Il.Socio]

b2 signature
00 00 01 eb header size
00 00 00 12 maybe_qty_tlv_fields
Other bytes are TLV fields:
http://en.wikipedia.org/wiki/Type-length-value
The ATF logs will help you a lot to properly parse these fields.

[kamy_wfa]

@Socio
could you please give me the clues to calculate:

 - 00 00 00 12 maybe_qty_tlv_fields

can i know the structure of TLV fields and how can these fields be built up from the firmware (this case is MCU)

below is the log of ATF, if you don't mind please take a little time to take some notes on each fields of logs.

all my appreciation for your help

kamy

Number of Image Files: 4

Processing Image File :
 rm645_061.005_prd.core.fpsx
CMT Type : BB5
CMT Algorithm : XSR 1.6
Secondary Sending Speed    : 650000Hz
Algorithm Sending Speed    : 6500000Hz
Program Sending Speed      : 13000000Hz
Message Reading Speed      : 98000Hz
Number of Blocks :  435
Entry Point:  0x01F0
Page Format : -1
MAX PAGE : 0x00040000

Processing Image File :
 rm645_061.005_01.01_Euro1_prd.rofs2.fpsx
CMT Type : BB5
CMT Algorithm : XSR 1.6
Secondary Sending Speed    : 650000Hz
Algorithm Sending Speed    : 6500000Hz
Program Sending Speed      : 13000000Hz
Message Reading Speed      : 98000Hz
Number of Blocks :  180
Entry Point:  0x00F5
Page Format : -1
MAX PAGE : 0x00040000

Processing Image File :
 rm645_061.005_C00.01_DEFAULT_prd.rofs3.fpsx
CMT Type : BB5
CMT Algorithm : XSR 1.6
Secondary Sending Speed    : 650000Hz
Algorithm Sending Speed    : 6500000Hz
Program Sending Speed      : 13000000Hz
Message Reading Speed      : 98000Hz
Number of Blocks :  5
Entry Point:  0x00F5
Page Format : -1
MAX PAGE : 0x00000E00

Processing Image File :
 rm645_061.005_U000.000_prd.uda.fpsx
CMT Type : BB5
CMT Algorithm : XSR 1.6
Secondary Sending Speed    : 650000Hz
Algorithm Sending Speed    : 6500000Hz
Program Sending Speed      : 13000000Hz
Message Reading Speed      : 98000Hz
Number of Blocks :  8
Entry Point:  0x00F5
Page Format : -1
MAX PAGE : 0x00040000



AUTO SELECTED DEAD USB FLASHING...

 If Flashing DOES NOT Start in 5 Seconds,
 Then Perform Steps 1, 2, 3 and 4...

1. Remove USB and Battery...
2. Insert USB.
3. Insert Battery. (Some phones boot automatically)
4. Please Power on phone shortly...

AdvanceFBox SendBootCodeEx
InitialiseBootstrap_DCT5 DIR
BootFlashMode_DCT5
 Cant verify BootRom!
AdvanceFBox SendBootCodeEx
InitialiseBootstrap_DCT5 DIR
BootFlashMode_DCT5
 BootRom Verified!

BootFlashModeDCT5Ex Succeded After 2 Tries
SYSTEM_ID_RESPONSE_BB5 (0xC0) - 0  (0x00) bytes returned
Number of Sub Blocks 7 (0x07)
  1  SYSTEM_ASIC_ID 01
     Block Length  : 21  (15)
     BB ASIC Index : 0  (00)  CMT
     ID DWORD    0 : 00000003
     ID DWORD    1 : 00000226
     ID DWORD    2 : 00010007
     ID DWORD    3 : 600C1921
     ID DWORD    4 : 02031104
  2  ROM_ID 15
     Block Length  : 5  (05)
     BB ASIC Index : 0  (00)  CMT
     ID DWORD    0 : 00000C35
  3  ROM_ID 15
     Block Length  : 5  (05)
     BB ASIC Index : 0  (00)  CMT
     ID DWORD    0 : 00000C30
  4  PUBLIC_ID 12
     Block Length  : 21  (15)
     BB ASIC Index : 0  (00)  CMT
     ID DWORD    0 : 0AC00116
     ID DWORD    1 : 56DA0344
     ID DWORD    2 : 08ADD8EB
     ID DWORD    3 : B271E711
     ID DWORD    4 : 0ED2952E
  5  ASIC_MODE_ID 13
     Block Length  : 2  (02)
     BB ASIC Index : 0  (00)  CMT
     Mode Id       : 00
  6  ROOT_KEY_HASH 14
     Block Length  : 17  (11)
     BB ASIC Index : 0  (00)  CMT
     Hash          :  91 6F 75 21 7F 32 08 12 48 B1 5C 38 DF C8 E8 1B
  7  ROM_ID 15
     Block Length  : 9  (09)
     BB ASIC Index : 0  (00)  CMT
     CRC         0 : E693EF0D
     CRC         1 : AC22615B

 START FLASHING
RawLoaderExtract: rm645_061.005_prd.core.fpsx
CMT Secondary Loader: C:\AdvanceBox Turbo Flasher\Nokia\BB5_Loader\BB5_USBLoaders\RAPUv11_2nd.fg
Secondary Loader Sent....

MCU_CONFIGURATION_RESPONSE_BB5:
 MessageID  : C1
 SubBlocks  : 06
 1 Sub Block ID      : 10  STORAGE_DEVICE_ID_BB5
   Block Length      : 0B
   BB ASIC Index     : CMT  00
   Device Type       : RAM  05
   Device Index      : 00
   Manufacturer Code : 0000 -> Flash
   Device ID         : 0000 -> not detected
   Extended/Fixed ID : 0000
   Revision ID       : 0000
 2 Sub Block ID      : 10  STORAGE_DEVICE_ID_BB5
   Block Length      : 0B
   BB ASIC Index     : CMT  00
   Device Type       : MMC  04
   Device Index      : 00
   Manufacturer Code : FFFF -> Flash
   Device ID         : 0000 -> BAD FLASH TYPE
   Extended/Fixed ID : 0000
   Revision ID       : 0000
 3 Sub Block ID      : 10  STORAGE_DEVICE_ID_BB5
   Block Length      : 0B
   BB ASIC Index     : CMT  00
   Device Type       : NOR  00
   Device Index      : 00
   Manufacturer Code : 0020 ->
   Device ID         : 0040 -> Type not in database
   Extended/Fixed ID : 0000
   Revision ID       : 0031
 4 Sub Block ID      : 10  STORAGE_DEVICE_ID_BB5
   Block Length      : 0B
   BB ASIC Index     : CMT  00
   Device Type       : NOR  00
   Device Index      : 01
   Manufacturer Code : 0000 -> SPANSION
   Device ID         : 0001 -> not used
   Extended/Fixed ID : 0000
   Revision ID       : 0000
 5 Sub Block ID      : 10  STORAGE_DEVICE_ID_BB5
   Block Length      : 0B
   BB ASIC Index     : CMT  00
   Device Type       : MuxOneNAND  03
   Device Index      : 00
   Manufacturer Code : 0020 ->
   Device ID         : 0040 -> Type not in database
   Extended/Fixed ID : 0000
   Revision ID       : 0031
 6 Sub Block ID      : 35  NAND_DRIVER_VERSION_BB5
   Block Length      : 09
   BB ASIC Index     : CMT  00
   Data              :

SearchForBootstrap_DCT5  : No Error - 0 (0x00)
Flash Descriptor
   Manufacturer Code : 0020
   Device ID         : 0040
   Extended/Fixed ID : 0000
   Revision ID       : 0000
   Size              : 10000000 (256 MB)
   VPP Info          : 0000
   Erase10s          : 1E
   Block1s           : 32
   BErase1s          : 02
   Reserved0         : 00
   Reserved1         : 00
   Reserved2         : 00

CMT Algorithm Loader: C:\AdvanceBox Turbo Flasher\Nokia\BB5_Loader\BB5_USBLoaders\RAPUv11_XSR17_alg.fg
Algorithm Loader Sent...

FUR_Control_AddClient_BB5() ASIC_INDEX_CMT (Ready)
FUR control Ok

 START READING RPL DATA
IMEI: 357409047150281
Reading : NPC... OK!
Reading : CCC... OK!
Reading : HWC... OK!
Reading : R&D... OK!
RPL Backup was Successful...
 Plain RPL saved to:
 C:\AdvanceBox Turbo Flasher\Nokia\Backup\357409047150281\357409047150281_105610.rpl

Pabub KEY Request
PhoneInfoRequest_BB5 (Asic Index 00 )
PHONE_INFO_RESPONSE_BB5
  PAPUB_KEYS_HASH_RESP_BB5 2A
    BB Asic Index   : 00
CMT PAPUBKEYS HASH:
 D7D05CFC982BF1491F4BE3FE0F28D3016DA5E057
ImagePath: D:\NOKIA project\FIRMWARE\C5-rm645_061.005\
ImageFilename: rm645_061.005_prd.core.fpsx
Read Type : FIASCO_BB5_DO_NOT_READ_CERTIFICATE (01)
Sending STORE_CERTIFICATE_REQUEST_BB5 (CMT  00 only)
Certificate 1
  Name        : NPC
  ASIC Index  : CMT  0
Certificate 2
  Name        : CCC
  ASIC Index  : CMT  0
Certificate 3
  Name        : HWC
  ASIC Index  : CMT  0
Certificate 4
  Name        : R&D
  ASIC Index  : CMT  0
STORE_CERTIFICATE_REQUEST_BB5 : 61 04 2B 0D 4E 50 43 00 00 00 00 00 00 00 00 00 00 2B 0D 43 43 43 00 00 00 00 00 00 00 00 00 00 2B 0D 48 57 43 00 00 00 00 00 00 00 00 00 00 2B 0D 52 26 44 00 00 00 00 00 00 00 00 00 00 D3
STORE_CERTIFICATE_REQUEST_BB5 : No Error - 0 (0x00)
ProcessPartitionInfo_DCT5...
Partition Info
    Partition Blocks :   1
     1   PARTITION_INFO_BB5
            BB ASIC Index     : 0x00 CMT
            Device Type       : 0x03 MuxOneNAND
            Device Index      : 0x00
            Partition Version : 00020000
            Spare             : FFFFFFFF
            Num Partitions    : 00000004
            Partition    1
              ID              : 00000003  COPIEDOS
              Attribute       : 00000002  RO
              Start Address   : 000A0000
              Size            : 030A0000
            Partition    2
              ID              : 00000004  DEMANDONOS
              Attribute       : 00000002  RO
              Start Address   : 03140000
              Size            : 07D00000
            Partition    3
              ID              : 00000008  FILESYSTEM
              Attribute       : 00000001  RW
              Start Address   : 0AE40000
              Size            : 04800000
            Partition    4
              ID              : 0000000A  PMM
              Attribute       : 00000001  RW
              Start Address   : 0F640000
              Size            : 003C0000
PARTITION_INFO_REQUEST_BB5 : 64012F4F00030000020000FFFFFFFF000000040000000300000002000A0000030A000000000004000000020314000007D0000000000008000000010AE40000048000000000000A000000010F640000003C000036
PARTITION_INFO_REQUEST_BB5 : No Error - 0 (0x00)
ProcessPartitionInfo_DCT5 : No Error - 0 (0x00)
StartErase_DCT5...
BlockLength  :  0x4F  (79)
ERASE Blocks :  0x02  (2)
     0   ERASE_AREA_BB5 0x12
            Block Length     : 0x1B (27)
            BB ASIC Index    : 0x00 CMT
            Device Type      : 0x03 MuxOneNAND
            Device Index     : 0x00
               0             : 00020000-0003FFFF
               1             : 00060000-004DFFFF
               2             : 008E0000-0AE3FFFF
     1   FORMAT_PARTITION_BB5 0x19
            Block Length     : 0x2F (47)
            BB ASIC Index    : 0x00 CMT
            Device Type      : 0x03 MuxOneNAND
            Device Index     : 0x00
            Format Info ID   : 0x02000000
            Format Info      : 000000000000000A0000000000000002000000640000000B00000002000000010000000000000000

ERASE_REQUEST_BB5 : 5003120B000300000200000003FFFF120B00030000060000004DFFFF120B000300008E00000AE3FFFFCF

FORMAT_REQUEST_BB5 : 5001192F00030000000002000000000000000A0000000000000002000000640000000B0000000200000001000000000000000033

Successfully erased..
Total blocks to write : 435
>>  CMT Rootkey Hash CERT : ADA
>>  CMT Rootkey Hash CERT : KEYS
>>  CMT Rootkey Hash CERT : PRIMAPP
>>  CMT Rootkey Hash CERT : RAP3NAND
>>  CMT Rootkey Hash CERT : SOS+PMML
>>  CMT Rootkey Hash CERT : PASUBTOC
>>  CMT Rootkey Hash CERT : PAPUBKEYS
>>  CMT Rootkey Hash CERT : GENIO_INIT
>>  CMT Rootkey Hash CERT : SOS*UPDAPP
>>  CMT Rootkey Hash CERT : SOS*DSP0
>>  CMT Rootkey Hash CERT : LDSP
>>  CMT Rootkey Hash CERT : SOS*ISASW
>>  CMT Rootkey Hash CERT : SOS+CORE
>>  CMT Rootkey Hash CERT : SOS+ROFS1
ImagePath: D:\NOKIA project\FIRMWARE\C5-rm645_061.005\
ImageFilename: rm645_061.005_01.01_Euro1_prd.rofs2.fpsx
StartErase_DCT5...
BlockLength  :  0x0E  (14)
ERASE Blocks :  0x01  (1)
     0   ERASE_AREA_BB5 0x12
            Block Length     : 0x0B (11)
            BB ASIC Index    : 0x00 CMT
            Device Type      : 0x03 MuxOneNAND
            Device Index     : 0x00
               0             : 06D40000-0A03FFFF

ERASE_REQUEST_BB5 : 5001120B00030006D400000A03FFFFF9

Successfully erased..
Total blocks to write : 180
>>  CMT Rootkey Hash CERT : SOS+ROFS2
ImagePath: D:\NOKIA project\FIRMWARE\C5-rm645_061.005\
ImageFilename: rm645_061.005_C00.01_DEFAULT_prd.rofs3.fpsx
StartErase_DCT5...
BlockLength  :  0x0E  (14)
ERASE Blocks :  0x01  (1)
     0   ERASE_AREA_BB5 0x12
            Block Length     : 0x0B (11)
            BB ASIC Index    : 0x00 CMT
            Device Type      : 0x03 MuxOneNAND
            Device Index     : 0x00
               0             : 0A040000-0AE3FFFF

ERASE_REQUEST_BB5 : 5001120B0003000A0400000AE3FFFFE5

Successfully erased..
Total blocks to write : 5
>>  CMT Rootkey Hash CERT : SOS+ROFS3
ImagePath: D:\NOKIA project\FIRMWARE\C5-rm645_061.005\
ImageFilename: rm645_061.005_U000.000_prd.uda.fpsx
StartErase_DCT5...
BlockLength  :  0x0E  (14)
ERASE Blocks :  0x01  (1)
     0   ERASE_AREA_BB5 0x12
            Block Length     : 0x0B (11)
            BB ASIC Index    : 0x00 CMT
            Device Type      : 0x03 MuxOneNAND
            Device Index     : 0x00
               0             : 0AE40000-0F63FFFF

ERASE_REQUEST_BB5 : 5001120B0003000AE400000F63FFFF80

Successfully erased..
Total blocks to write : 8
ContinueFlash_DCT5 Complete
Continue Flash Complete :  : No Error - 0 (0x00)
Status_BB5 STATUS_REQUEST_BB5..
1  Sub Block ID      : 15 STATUS_NAND_OK_BB5
          Block Length      :  0F
          BB ASIC Index     :  00
          Device Type       :  03
          Device Type       :  00
          Num Bad Blocks    :  00000001
          Additional Bad    :  00000001
          Correctable ECC   :  00000000
FlashInfo.RestartMode : 1

Flashing Done...
Total Flashing Time (Erase + Flashing) : 00:00:18
(Booting time is NOT Included)

Waiting for Phone to Start-Up..(Max 150 seconds)

Elapsed Time: 5 Seconds...
Elapsed Time: 10 Seconds...
Elapsed Time: 15 Seconds...
Elapsed Time: 20 Seconds...
Elapsed Time: 25 Seconds...
Elapsed Time: 30 Seconds...
Elapsed Time: 35 Seconds...
Elapsed Time: 40 Seconds...
Elapsed Time: 45 Seconds...
Elapsed Time: 50 Seconds...
Elapsed Time: 55 Seconds...
Elapsed Time: 60 Seconds...
Elapsed Time: 65 Seconds...
Elapsed Time: 70 Seconds...
Elapsed Time: 75 Seconds...
Elapsed Time: 80 Seconds...
Elapsed Time: 85 Seconds...
Elapsed Time: 90 Seconds...
Elapsed Time: 95 Seconds...
Elapsed Time: 100 Seconds...
Elapsed Time: 105 Seconds...
Elapsed Time: 110 Seconds...
Elapsed Time: 115 Seconds...
Elapsed Time: 120 Seconds...
Elapsed Time: 125 Seconds...
Elapsed Time: 130 Seconds...
Elapsed Time: 135 Seconds...
Elapsed Time: 140 Seconds...
Elapsed Time: 145 Seconds...
Elapsed Time: 150 Seconds...


 WARNING: Phone is not in the Required Mode...
 Disconnect the Phone and Power it Up Manually.

[Il.Socio]

could you please give me the clues to calculate:
 - 00 00 00 12 maybe_qty_tlv_fields

that "maybe", means that I'm not sure it is the quantity of the TLV fields...
I guess it is, but I still have some parsing problems for some headers.
So maybe it is, and maybe it isn't.

can i know the structure of TLV fields and how can these fields be built up from the firmware (this case is MCU)

That's the reason because I gave you the wiki link... you need to read it to know what is a TLV field, so it should be obvious how you can read it from the firmware.

below is the log of ATF, if you don't mind please take a little time to take some notes on each fields of logs.

That work is up to you.
I'm available to share my knowledge on the firmware file format, but this is not a teaching course from zero to hero...
By using the informations provided, any developer should be able to read most of the TLV fields from the header without any problems.

These are the Types I found:
        ERASE_AREA_BB5 = 0x12,
        FORMAT_PARTITION_BB5 = 0x19,
        PARTITION_INFO_BB5 = 0x2F,
        CMT_Type = 0xC2,
        CMT_Algo = 0xC3,
        ERASE_DCT5 = 0xC8,
        SecondarySendingSpeed = 0xCD,
        AlgoSendingSpeed = 0xCE,
        ProgramSendingSpeed = 0xCF,
        MessageReadingSpeed = 0xD1,
        CMT_SupportedHW = 0xD4,
        APE_SupportedHW = 0xE1,
        APE_Phone_Type = 0xE7,
        APE_Algorithm = 0xE8,
        Descr = 0xF4


Btw, if you didn't yet developed any tool using a file-format-specification, I strongly suggest you to start with some easier file-format and well-documented...

[kamy_wfa]

@Socio,

thanks for your patience in my novice questions, i will drill down more but no hope becoming a symbian developer  ;
a kid need some time to grow up.

kamy

[kamy_wfa]

@Socio

could you please pay attention to address 0x15C

4F02121B000300000200000003FFFF00060000004DFFFF008E00000AE3FFFF192F00030000000002000000000000000A0000000000000002000000640000000B00000002000000010000000000000000ED35014E504300000000000000000000434343000000000000000000004857430000000000000000000052264400000000000000000000F60300001CF706000001B203FF

i tried many times for reading TLV but still can not understand them, any clues for this section please

BRs
kamy