After banging my head with the update utility and a bootsplash stuck universal for like hours, I did decrypt the bootloader 1.0... Will do some reverse engineering and post what I find... :lol:




Update: decrypted Bootloader 1.0 is attached...

ady,

if this is true... congratulations!!!

you may want to share your knowledge with buzz and the other specialists ;-)


have a good success

peter

hi ady,
GREAT!
could you please tell me how you did it?

thanx
buzz

By hacking the ruu.dll and running the upgradeut. I'm away at the moment. Will post it later

By hacking the ruu.dll and running the upgradeut. I'm away at the moment. Will post it later
very interesting approach... :o)))

buzz

Thanx buzz.

something which I observed earlier while looking at the string table:

It has multilevel password protection and the password for each level i.e update, erase, dump, debug is calculated at runtime.
Moreover the access level resets to lowest after a certain time which makes it almost unhackable
There are strings related to CID meaning there might be a method to change CID

updated first post to attach the decrypted bootloader 1.0 for those who are interested.


Also I succesfully flashed the 1.0 bootloader on a device which was previously updated with 1.01...


Of course if was after hacking the RUU.dll. By default it doesn't let you update to an older bootloader

ady I have been looking at the bootloader of the prophet and the interaction between the romupdate utility and the phone with a software logic analyzer which has revealed a lot of information including the commands that romupdate runs while upgrading the rom.
I am in the process of compiling a list of bootloader commands which may be usefull.
Did you dump the commands while downgrading the bootloader.
Pete

you can find a list of commands very easily. just look at the string table. however not all commands are allowed and that is the callenge

Some commands do not appear to be secured correctly.
For example the rbmc command.
If I run it without a password it says no pemission enter any password and then it will run fine.
The password issued by the romupdate tool seem to be based partly upon the results of the info 2 command as far as I can tell.
The main command I am struggling to figure out is the r2sd command which reads a key/password from the SD Card.

The main command I am struggling to figure out is the r2sd command which reads a key/password from the SD Card.
hi,
did you mean d2s command?

buzz

r2sd command runs well when u hv CID unlocked..works for Prohet,wizard and charmer..typhoon

r2sd command runs well when u hv CID unlocked..works for Prohet,wizard and charmer..typhoon
;o))) I thought, this is about Universal 1.00 bootloader...

buzz

According to some source of information there are 2 types of Universal. One with G3 and another with G4 chips. G3 bootroms have string "HW Version : 1.40h" in bootloader and its version is 1.xx, G4: "1.40j" and version numbers are 2.xx. Your ROM is for G3.
And bootrom can be decoded from nk.nbf with alpinenbfdecode.pl script

By hacking the ruu.dll and running the upgradeut. I'm away at the moment. Will post it later

If this is correct , i hope, ...the nk.nbf of JASJAR bootloader can be decoded from bal66 tool and one can get.nba file.But I was not able to decode further with imgfs tools...it simply fails to do that....

@hdubli
bootloader image - nk.nba - is not an imgfs. you cannot use mamaich's imgfs_tools on it.

bal66's tool cannot decode bootloader nk.nbf to nk.nba either.

buzz

Attached is the file...pls check

Attached is the file...pls check
yes, that file looks to be OK...

buzz

another thing:

lnb command doesn't work on 1.0 or 1.01. Another command wdata is used instead to update.
the difference between the two commands is that lnb needs to have an nb image i.e. lnb lnbtemp.nb whereas wdata transfers the image directly from host computer memory (more hack safe)