[Solved] Fix the dreaded perfect SPL.

Search This thread

Thyth

New member
Jul 23, 2009
4
5
you need to talk to someone with JTAG experience and they should be able to walk you through it but essentially you are going to start an update when you get one and then dump everything in the memory during the update. Thankfully if you get a brick, you'll be able to revive your device with JTAG relatively easily. I should also mention that anyone with a Magic *should* get the same keys so anyone with JTAG experience needs to try this first. I'll try to get you in contact with Geohotz and he'll be able to tell you everything you need to do.

That would be great, if you want to waste your time. The public key used to verify the signatures on the images is useless for signing our own images, unless you happen to have a quantum computer lying around. Nobody in the hardware business is stupid enough to use a symmetric key in this situation.

If you're going to mess around with JTAG, you're better off using it to dump contents of all non-volatile memory from an Ion (or other unrestricted device), extracting the SPL from that image, then using JTAG to write it onto one of these locked down devices.

Obviously, a less invasive solution would be to overwrite the restrictive SPL with a less restrictive one while the device is running. Barring any suitable exploits in the SPL itself, root access on a device should sufficient.

Last I heard, the pre-release myTouch 3Gs are using a 2.6.27 kernel version (default Ion image has 2.6.27-00393). Versions pre-2.6.28.4 are vulnerable to a heap overflow (see CVE-2009-1046), which has a root exploit (albeit fairly tricky one) for x86_64 available in the wild. Android 1.5 supports native development in ARM via the NDK (my Ion says ARMv6 compatible).

If I had a locked down device, that's the route I would take, anyway. Easiest, of course, would be a signed Ion NBH.
 
K

korndub

Guest
do you know how to overwrite the spl with the method you described? I will try it need to know how though.
 

DebauchedSloth

Senior Member
Jan 27, 2008
459
76
Obviously, a less invasive solution would be to overwrite the restrictive SPL with a less restrictive one while the device is running. Barring any suitable exploits in the SPL itself, root access on a device should sufficient.

Yes, I agree, getting the public keys is going to do absolutely no good. Finding a root exploit and then either replacing those keys or disabling the signature check is going to be the most likely path to an exploit, not JTAG.

Of course, once you have root, I'm not sure I see the need to do anything with the SPL, except to maybe disable OTA updates.
 
K

korndub

Guest
ardhy, if we had root there would be no need to try to rewrite the SPL......

DebauchedSloth - if/when we get root, in my opinion its better to have the SPL for fastboot purposes - and also, OTA updates are controled by otacerts and the SPL has nothing to do with the ota update proces.. SPL (Second Program Loader - which allows android to boot) once android is running the OTAcheck begins....
 

cyphr666

Member
Jul 20, 2009
14
0
Another Donor...

Seriously guys...

am sitting here with a $600 Android phone that i cant even use a decent maps application on - the GPS on my phone is fairly useless.

The variant of HTC Magic sold here is sans any Google Apps - ANY!

So am willing to donate to anyone who can crack this "dreaded" SPL. i am guessing that there are at least three or four more souls like me...

:)
 

CUGWMUI

Member
Dec 22, 2006
21
0
Actually no.. installation of Maps.apk fails!
Do you know where I can get a working maps.apk?

Ciao,
CUGWMUI
 

addiecool

Member
May 1, 2008
29
0
New Delhi
Yes please let me know where to get

Maps.apk
Google Chat.apk or whatever
Other google apps.
Not very interested in the android market but need the apps.
 

CUGWMUI

Member
Dec 22, 2006
21
0
Actually, I did try taking them out of a ROM.. didn't work.

Maps doesn't work because com.google.android.maps.jar isn't in the /system/framework directory (which is read-only).

Gmail.apk ... just opens & crashes (yes, installed along with GmailProvider.apk).

VoiceSearch .. just opens & crashes.

BTW, if I didn't say so before, add me to the donor list for any possible solution to the dreaded perfect SPL.

Ciao,
CUGWMUI
 

pgiuoco

Senior Member
Feb 15, 2008
111
0
Plano, TX
Question, and I know it's a LONG SHOT... but since the boards are so similar plus or minus some memory and an LED or 2, but would the Dream Img work on the MyTouch3g, Magic, ect.? If it even recognized it would it be worth the risk?
 

perevers

Senior Member
Jul 3, 2009
174
0
Valby
In fastboot menu i get the following:
SAPPHIRE PVT 32A SHIP S-ON H
HBOOT-1.33.0010 /SAPP10000)
CPLD-12
RADIO-3.22.20.17
jun 2 2009, 17:28:28

Its a HTC branded phone, bought in Denmark
Dont know if you can use this information
Per
 

setzer715

Senior Member
Jan 29, 2009
1,236
209
North Phoenix
dumb question. Since everything on the mytouch is basically the same as the G1 (with the exception of the ROM), could we fool the NBH that was released for the G1 into thinking it's a myTouch Rom and use it to downgrade, gain root, then upgrade? I'll fully admit that it seems a little far fetched, but figured I'd ask.

Even if this did work, it would put an SPL on your phone that doesn't have fastboot option. And I don't know if you can do the "Enter Enter, Telnetd, Enter without a physical keyboard to get into telnetd to flash the recover image.
 

Mi|enko

Senior Member
Jul 15, 2006
1,558
171
Even if this did work, it would put an SPL on your phone that doesn't have fastboot option. And I don't know if you can do the "Enter Enter, Telnetd, Enter without a physical keyboard to get into telnetd to flash the recover image.

couldn't you adb shell telnetd? Just a thought
 

Mi|enko

Senior Member
Jul 15, 2006
1,558
171
well, lets give it a shot!

I honestly don't think it'll work, as the dreamimg.nhb will probably need to be renamed to the shapphire image (which is easy enough). The problem there lies in that it's probably signed with different keys the real sapphire image. Won't know until somebody actually tests it, but ya never know.
 

setzer715

Senior Member
Jan 29, 2009
1,236
209
North Phoenix
I honestly don't think it'll work, as the dreamimg.nhb will probably need to be renamed to the shapphire image (which is easy enough). The problem there lies in that it's probably signed with different keys the real sapphire image. Won't know until somebody actually tests it, but ya never know.

Now I'm a little concerned I'll brick my phone if it tries to load

Does it need to be SAPPDIA2.nbh or SAPPDIAG.nbh?
 
Last edited: