[DISCUSSION][SOLVED] ROOTING G2 Vision T-mobile

spyz88 · Oct 6, 2010

We could really use Haykuro on this one. He could always solve problems like this. He's like superman.

PlankLongBeard · Oct 6, 2010

hah2110 said:
So this is what is going on? http://gizmodo.com/5656921/t+mobiles-g2-rootkit-will-reinstall-stock-android-after-a-jailbreak

This is nuts. We need Cyanogen and Modaco to get on this.

+1 On this... I just got the thing for the wife last night... then wake up to this ish, I'm like we gave up Verzion the Droidx cause of this non-sense. Well, I hope Modoco and Cyanogen get on this soon too... First the selling point of interchangeable roms from HTC, now we raped like the big red machine. Its cool tho, this is an HTC and development has that rule set straight. Its ours, not yours after we paid for it.

Algernon · Oct 6, 2010

flarbear said:
Some people (particularly over in the T-Mobile forums) are quoting this post and pointing to the 4407296 number as being proof of a 4G chip and that this means it is somehow accessible to the kernel. I just wanted to clarify that that number is probably simply reporting the size of the mmcblk0 partition in 512-byte blocks since that number happens to be exactly double the number that /proc/partitions reports. Is that a fair assessment of these numbers?

In other words, the only confirmation we have of the 4GB part is the partial teardown that found it and these numbers are simply further ways to confirm that the system only sees 2.1-ish GB of it. Correct?

That seems to be the case. This is from the data sheet for the iNAND:

The size of a write block in the iNAND device is 512B

and

The iNAND offers the possibility for the host to configure additional split local memory partitions with independent addressable space starting from logical address 0x00000000 for different usage models.

http://omapworld.com/iNAND_e_MMC_4_41_IF_data_sheet_v1_0[1].pdf

Algernon · Oct 6, 2010

lbcoder said:
Is it certain that this protection is at the SPL/radio/MMC level and not at the BOOT level? Has anybody actually examined the contents of the boot partition for a nasty-script?

From the same SanDisk data sheet I mentioned above:

2.9. Enhanced Write Protection
To allow the host to protect data against erase or write, the iNAND supports two levels of write protect command:

• The entire iNAND (including the Boot Area Partitions, General Purpose Area Partition, and User/Enhanced User Data Area Partition) may be write-protected by setting the permanent or temporary write protect bits in the CSD.

• Specific segments of the iNAND may be permanently, power-on or temporarily write protected. Segment size can be programmed via the EXT_CSD register.

For additional information please refer JESD84-A441 standard.

lbcoder · Oct 6, 2010

digikid said:
If I temp root my g2, where is the boot script located? I know how to read it, just don't know where it is.

The boot *PARTITION* is what is needed, and recovery would be good as well. mmcblk0p22 is boot, p21 is recovery. Dumping both of those would be useful.

dd if=/dev/block/mmcblk0p21 of=/sdcard/recovery.img
dd if=/dev/block/mmcblk0p22 of=/sdcard/boot.img

There is also an interesting partition labelled as "devlog" at p28. Any luck and it might actually have a log of what's doing with the "restore" problem.

dd if=/dev/block/mmcblk0p28 of=/sdcard/devlog.img
(note: devlog *could* have sensitive information, but probably doesn't. Up to you whether you want to share it or not)

lbcoder · Oct 6, 2010

spyz88 said:
We could really use Haykuro on this one. He could always solve problems like this. He's like superman.

Keep that lecherous punk kid away from here! He never solved anything and led a LOT of people into a brick.

paulobrien · Oct 6, 2010

I've had a mooch through the boot image, nothing obvious there...

P

funkadesi · Oct 6, 2010

+1 for HTC and T-Mo for giving us a REAL challenge....

chaoticaffinity · Oct 6, 2010

What if its something simple like making the exact same write x times in a row. The first time triggers the write protect. The second time lets the system know it should get ready to make the change and the third time it changes.

lbcoder · Oct 6, 2010

paulobrien said:
I've had a mooch through the boot image, nothing obvious there...

P

How about recovery? Since recovery theoretically must be able to make permanent writes? Is recovery also protected? How about boot, is boot protected? Misc *can't* be protected, nor can cache (write protect would defeat their purposes), and between misc and cache, it should be possible to write an SPL....

Did somebody say they had an engineering SPL from somewhere? It might have been from that leaked dump or something.... An engineering SPL should be able to boot an unsigned recovery or boot image.

fastludeh22 · Oct 6, 2010

app root

I'm sorry if this is already known, as I haven't been able to read this entire theard yet, but I promise I will tonight. With that said:

I have root for apps like titiaum backup, and setcpu, etc...

If this is known how to do ignore me, lol. If not ill post up steps. We WILL break this thing open!

lbcoder · Oct 6, 2010

chaoticaffinity said:
What if its something simple like making the exact same write x times in a row. The first time triggers the write protect. The second time lets the system know it should get ready to make the change and the third time it changes.

Unlikely. This would be more complicated to write and would require a second CPU (the radio core?) to overlook it. Very wasteful.

digikid · Oct 6, 2010

lbcoder said:
The boot *PARTITION* is what is needed, and recovery would be good as well. mmcblk0p22 is boot, p21 is recovery. Dumping both of those would be useful.

......

There is also an interesting partition labelled as "devlog" at
dd if=/dev/block/mmcblk0p28 of=/sdcard/devlog.img
(note: devlog *could* have sensitive information, but probably doesn't. Up to you whether you want to share it or not)

Ok, I had issues before I left. I will work on this when I get home from work. Sorry for the wait.

Sent from my T-Mobile G2 using XDA App

ace42588 · Oct 6, 2010

was anyone ever able to look at hendusoone log dumps? what was mmc1? mmc0 is the nand and mmc2 is the sd card. in the log mmc0 is later identified in the log as being 2.1gb, mmc1 isnt really identified as anything, and very well could be nothing. seems strange to skip mmc1 in favor mmc2 for the sdcard.

anyone know of any hardware engineers? using an fpga to sniff and interpret the emmc lines would tell us exactly what was going on, but doing so would require a metric **** ton of skill with the board

scrapin240 · Oct 6, 2010

called TMo and the reps are like we are not aware of anything that can prevent root (they first said it will void your warranty, etc.) but said that they have not heard anything bc all the reps root their phones.

I think the best thing is for everyone to return their phones and state this as a reason and that will pretty much stop the madness.

Superfrag · Oct 6, 2010

I don't think TMo has anything to do with it ; If this is true, the fault lies with HTC..

LxDroid · Oct 6, 2010

"ChrisSoyars: http://bit.ly/d7sL1n need I say more?"
4 minutes ago via TweetDeck

**Edit** It was fake

Jrbourque · Oct 6, 2010

chrissoyars just posted a screenshot of custom recovery on g2 on his twitter

http://img692.imageshack.us/img692/7089/whatrootkit.jpg

Edit: Damn you lol you beat me

hansalvato · Oct 6, 2010

if this is in the desire z and HD then this is and htc thing

Superfrag · Oct 6, 2010

Jrbourque said:
chrissoyars just posted a screenshot of custom recovery on g2 on his twitter

http://img692.imageshack.us/img692/7089/whatrootkit.jpg

Edit: Damn you lol you beat me

Owned. ****ing awesome.

[DISCUSSION][SOLVED] ROOTING G2 Vision T-mobile

Senior Member

Senior Member

Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Similar threads

Top Liked Posts