So this is what is going on? http://gizmodo.com/5656921/t+mobiles-g2-rootkit-will-reinstall-stock-android-after-a-jailbreak
This is nuts. We need Cyanogen and Modaco to get on this.
Some people (particularly over in the T-Mobile forums) are quoting this post and pointing to the 4407296 number as being proof of a 4G chip and that this means it is somehow accessible to the kernel. I just wanted to clarify that that number is probably simply reporting the size of the mmcblk0 partition in 512-byte blocks since that number happens to be exactly double the number that /proc/partitions reports. Is that a fair assessment of these numbers?
In other words, the only confirmation we have of the 4GB part is the partial teardown that found it and these numbers are simply further ways to confirm that the system only sees 2.1-ish GB of it. Correct?
The iNAND offers the possibility for the host to configure additional split local memory partitions with independent addressable space starting from logical address 0x00000000 for different usage models.
Is it certain that this protection is at the SPL/radio/MMC level and not at the BOOT level? Has anybody actually examined the contents of the boot partition for a nasty-script?
2.9. Enhanced Write Protection
To allow the host to protect data against erase or write, the iNAND supports two levels of write protect command:
• The entire iNAND (including the Boot Area Partitions, General Purpose Area Partition, and User/Enhanced User Data Area Partition) may be write-protected by setting the permanent or temporary write protect bits in the CSD.
• Specific segments of the iNAND may be permanently, power-on or temporarily write protected. Segment size can be programmed via the EXT_CSD register.
For additional information please refer JESD84-A441 standard.
If I temp root my g2, where is the boot script located? I know how to read it, just don't know where it is.
We could really use Haykuro on this one. He could always solve problems like this. He's like superman.
I've had a mooch through the boot image, nothing obvious there...
P
What if its something simple like making the exact same write x times in a row. The first time triggers the write protect. The second time lets the system know it should get ready to make the change and the third time it changes.
The boot *PARTITION* is what is needed, and recovery would be good as well. mmcblk0p22 is boot, p21 is recovery. Dumping both of those would be useful.
......
There is also an interesting partition labelled as "devlog" at
dd if=/dev/block/mmcblk0p28 of=/sdcard/devlog.img
(note: devlog *could* have sensitive information, but probably doesn't. Up to you whether you want to share it or not)
chrissoyars just posted a screenshot of custom recovery on g2 on his twitter
http://img692.imageshack.us/img692/7089/whatrootkit.jpg
Edit: Damn you lol you beat me