W
No, it's not. Nobody dumped a thing with this ENG HBOOT.
Don't take it offensive, but most of your posts are kinda useless here. If you just want to say "Come on guys !", "Yeah ! Let's do it this way !", "I don't get a thing of your last post", or post an "Hello world" in Java or ask questions about our personal lifes, just don't. Sorry if I seem mean.
EDIT : And please, change this blinking signature, it gives headaches to no.human.being.
well i did that, but we failed as we didnt have access to the radio at the time. we need to do it again with access to the radio to see what we can find. as i dont have a spare wildfire s i cannot test again. but, should anyone be in scotland with the htcdev bootloader willing to give the dump files i have the xtc clip and will clip for free.
W
Wolf Pup
Guest
No, it's not. Nobody dumped a thing with this ENG HBOOT.
Don't take it offensive, but most of your posts are kinda useless here. If you just want to say "Come on guys !", "Yeah ! Let's do it this way !", "I don't get a thing of your last post", or post an "Hello world" in Java or ask questions about our personal lifes, just don't. Sorry if I seem mean.
EDIT : And please, change this blinking signature, it gives headaches to no.human.being.
No I don't. Try reading every single one of my posts. You'll see how useful I am. FYI, I do do helpful things, I made the forum that NHB started his research in, have a look. And I made a ROM. I have done so many things. I didn't post an hello world in Java. And I dont ask personal questions. what is your country isn't even that personal.
-----------------------------------------------------------------------------
Anyway, since we're back to kernels, we still getting the white screen?
W
Wolf Pup
Guest
W
Wolf Pup
Guest
no. i remember on my old thread someone suggested it since they got similar specs and trying to get soff.
W
Wolf Pup
Guest
eoghan2t7
Inactive Recognized Contributor
if you want i can dig into the kernel source and see if there is anything that repects the S-ON flag and show disable that so the expoilt can run sucessfully?
eoghan2t7
Inactive Recognized Contributor
pleease
no problem might take me a few days to check each boot file for any secu_flag statments etc
I think the term secu_flag will not be explicitely stated in the kernel. Also you have to look at the kernel sources, especially the mtd driver - not the boot images.
If the ENG HBOOT is working like theq86 said, it could be easier to find the real @secu_flag than with the XTC-Clip method.
The XTC-Clip mades various changes on the device (secu_flag, SuperCID and SIM unlock) and needs a reboot at the end of the operation. With this ENG HBOOT, a S-OFF user could simply flip the real bit with "fastboot oem readsecureflag" and "fastboot oem writesecureflag" and no reboot will be needed probably.
If it works and if the @secu_flag is really on the NAND, comparing the before/after dumps will be as easy as ABC.
I didn't find any infos about the ENG HBOOT 0.81.2000 however. I don't know where *se-nsei. got it and I saw nobody here reports it working good. :-/
Last edited:
If the ENG HBOOT is working like theq86 said, it could be easier to find the real @secu_flag than with the XTC-Clip method.
The XTC-Clip mades various changes on the device (secu_flag, SuperCID and SIM unlock) and needs a reboot at the and of the operation. With this ENG HBOOT, a S-OFF user could simply flip the real bit with "fastboot oem readsecureflag" and "fastboot oem writesecureflag" and no reboot will be needed probably.
If it works and if the @secu_flag is really on the NAND, comparing the before/after dumps will be as easy as ABC.
I didn't find any infos about the ENG HBOOT 0.81.2000 however. I don't know where *se-nsei. got it and I saw nobody here reports it working good. :-/
An S-OFF user checked the eng hboot thing. Result was: we have the diag tool (which is copied to the sd card from the xtc clip) but not the eng hboot itself.
W
Wolf Pup
Guest
That's good to know.
Are you working on the kernel to, theq86? Or are you trying a different approach? I'm sticking with my Doctor Who story, that's for sure!!
When you get a stock S-OFF phone, is it just a coincidence?
Are you working on the kernel to, theq86? Or are you trying a different approach? I'm sticking with my Doctor Who story, that's for sure!!
When you get a stock S-OFF phone, is it just a coincidence?
No it is not.
You are explicitely allowed to disassemble/decompile utilities, e. g. in order to inspect them for backdoors, etc. Of course you aren't allowed to use the implementation in your own software (the implementation is protected by copyright), but you may create your own code that functionally does the same (the "principle" can only be protected by patents and there are no software patents in Europe).
Many EULAs prohibit reverse engineering, but EULAs are not considered legally binding contracts. You may just hit "accept", it's not a thing you are in any way bound to. It's different if you use the software in conjunction with a "service" (e. g. an online game), as the "terms of service" are legally binding, but the EULA itself is not.
But there's a different thing that makes me concerned and it's the fact that we're patching the HBOOT and this software is protected by copyright. I'm not sure whether creating a software that patches it is already considered "creating a derived work" (which we would NOT be allowed to do) or if that "derived work" is only created "on the phone" and therefore by the person running the patch (after all the patch itself doesn't contain HBOOT code at all).
From my point of view I'd say that we're not creating a "derived work", but I'm not sure if jurisdiction shared my view. I really don't want to infringe any "intellectual property". It's one of the worst things you can do as a computer scientist. Could we port this one over to the phone and get rid of HBOOT entirely?
Btw, since so many asked why I didn't post for some time. I'm a bit busy at the moment and we still haven't got a functioning kernel.
Last edited:
Is it still illegal if you do the modification only for yourself on your own phone and do not distribute the modified code? Also: do you legally have to restore everything to stock if you sell the phone or give it away?
(I'm on my phone...)
(I'm on my phone...)
eoghan2t7
Inactive Recognized Contributor
its not illegal to modify your phone as it your property for example when apple took George Francis Hotz aka geohot to court about him breaking the iphone bootloaders etc the courts dropped the case because its not illegal to do
Well, as long as you sell it for private purpose it doesn't matter.
However, nhb is right. Even if the exploit does not contain hboot code, we can not just patch hboot and distribute it.
distribute the exploit, however is leading us into a shadow corner of right.
The approach of getting uboot to work may not infringe copyright, but it would surely need some bricked wildfires before being usable.
---------- Post added at 09:42 PM ---------- Previous post was at 09:39 PM ----------
its not illegal to modify your phone as it your property for example when apple took George Francis Hotz aka geohot to court about him breaking the iphone bootloaders etc the courts dropped the case because its not illegal to do
At least in my country, anything cracking the SIMLOCK IS illegal
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
59[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!
Progress so far:
DEVELOPERS!
THIS CAMPAIGN IS STILL GOING!
Please try to read the latest posts in this thread if you would like to help!
---
S-OFF is still needed! Don't get happy with your HTC unlocked bootloaders, you have no more warranty! You still can't resizie your system partitions! You still can't flash the hboot, and many other things! You can get your warranty back, if we crack S-OFF!!
Well I basically did a lot of of low-level (mostly hardware) stuff to the phone recently, not so much actual development. I found out how to configure OpenOCD (don't know whether the configuration is any good, since lots of values are more "good guesses" than actual knowledge but at least it's a starting point). I found how to get the board to boot without being attached to the Lithium cell which is not important for getting JTAG access (because this works as long as the board has power supply, being booted is not neccessary for JTAG to work) but will later be needed for tracing through the boot code, since the phone won't boot without what it thinks is a Lithium cell. However, I didn't get the debugger running yet. I suspect that the processor's logic level might be too low for the JTAG equipment. I don't really have an idea how to work around that yet, I might need to build a circuit that boosts the processor's JTAG signal to the appropriate voltage level (a so-called "level-shifter").
Apart from that munjeni and Antagonist42 also seem to make progress, but I must admit that I wasn't really able to keep track of all the things that they were doing recently. So basically we're now down at the actual physical layer and messing around with the electrical stuff that's going on on the phone's board and trying to find a way of actually talking to the processor to get the on-chip debugging working.
The far goal will be getting a patched HBOOT that has signature verification removed loaded into the device's memory via JTAG, then flash a patched HBOOT image via Fastboot. If this works it will be the first S-OFF GSM WFS that's neither shipped S-OFF nor turned S-OFF via xtc-clip, but this might still be a long long way.35Get your Teeth into these
Do not PM requesting Documents unless.....
If you cannot satisfy the above, do not PM. Thank you
My DropBox is defunct :silly: , as i'm not now as active on XDA I will see about re-posting when I can get some time to sort it all out again (like my mind it's a mess ).... I'll leave page as-is until I can sort it out Thankyou for your patience... and thankyou dropbox for the total lack of any idea of what went wrong
QualcommRelease Info July 2010
Booting
Qualcomm Boot VM984
File Systems
Qualcomm Filesystem Overview
ARM sheets
ARM9 Compiled Framework - Translated
ARM926EJ-S pdf
ARM1136JF-S + J-S pdf
ARM Phone/PC/Chip Info doc
Qualcomm REX User Guide Rev C 2001
REX and common software
ARM9EJ-S r1p2 _ RETIRED _ DDI0222
ARM Architecture Reference Manual v6m _ DDI0194C
eMMC Electrical Standards
ARMv7
Architecture App Level Ref Manual v7-M
Architecture App Level Ref Manual v7-M
Architecture Ref Manual v7-M
ECC
Reed Solomon Error Correcting Codes - OhadRodeh
Qualcomm - System Boards / User System
MSM7xxx Q-Fuses and Security
USB Host Driver W2k/XP -80-V4609-1-Rev-E
Android Linux Device Bus Drivers
Qualcomm - AMSS / Radio ... non user
AMSS - D'ya wanna know how to?
AMSS Overview 7x27 EBI1 cfg Original pdf
AMSS Overview 7x27 EBI1 cfg Translated (roughly lol) rtf
AMSS/DMSS C Debug/Troubleshoot
CMX Overview 80-V1484-1 Rev H
AMSS Multimedia Concurrency
AMSS 6055/6065/6075/6085 Build Instructions and Environment
MSM7227 Info
MSM7200A Sales Datasheet
MSM7500 Sales Datasheet
TM7200 [Test Phone] Sales Datasheet
MSM7227/7227 - Turbo - Build your own!!! See Below For Chip Infos
MSM7227 Chip Training-Overview
MSM7227 modem pdf
Micron NAND information
Package Naming
Part Numbering
NAND or OneNAND + RAM pdf
Micron NAND 101
NAND Flash Memory for MT29F4G08AAA, MT29F8G08BAA, MT29F8G08DAA, MT29F16G08FAA
4Gb, 8Gb, and 16Gb x8 NAND Flash Memory Features
TN-29-16: Boot-from-NAND with the TI OMAP2420 Processor
TN-29-18: Booting from Embedded MMC
TN-29-13: Determining NAND Flash Ready/Busy Status
TN-00-25: Enabling a Flash Device into the Linux MTD
Samsung NAND information
512 NAND
K9K2G08(U/R)0A Datasheet
KFG1G16Q2M-DEB6 Datasheet
Lauterbach - NAND
NAND FLASH Programming User’s Guide
Board IC's
PM7540 Power Manager pdf
RTR6285 RF Transceiver IC pdf
RTR6285/6280 Specs pdf
RTR6285 RF SW Driver pdf
MSM7227 Boot doc - Chinese but mostly the actual android/linux we're after.
MSM7227 Boot - Translated (roughly) - doc
Qualcomm 7X27 Platform Training Summary - rtf
Contains Partition Info .Doc file
Program (Linux) Unsure of authenticity please be aware...
QualcommAuto Test - No idea, Linux OS, trying to find documentation.
MSM6025 QSC60x6
Data Sheet
Device Specification
User Guide
Chipset Training
MSM60x5 AMSS Secure Boot Overview
MSM60x5 AMSS Flash and Memory Layout
MSM60x5 AMSS Board Support
MSM6500
Chipset Training
Basband Ref Schematic
MSM7200/A
Software Interface Manual 80-VA736-2 Rev B
MSM7200A Chipset Training - Baseband Topics
MSM 7225
Device Specification 80-VF815-1 Rev E
MSM7625
MSM7625 Device Info pdf
MSM7627
MSM7627 RF Training pdf
MSM7627 SCHEMATIC pdf - try at your own peril
Training Baseband Topics-80vm151-25 - pdf
Training Baseband Topics-80vm151-25 - (plain text file) - pdf
SURF7627 Main Board Ref Schematic pdf
SURF7627 Platform User Guide
AMSS 7x27A Linux Release 2.0.35 (Modem, Multimode) for Android™
Platform-Enabled MSM7627A Devices Release Notes for M76XXUSNEKNLYM2035
MSM8260/8660
MSM8260/8660 Baseband Reference Schematic
APQ8060/MSM8260/8660 Mobile Station Modem
MSM8660 Voice/Audio Topology and Tools Overview
MSM8x60
MSM8X60 Modem Debug Guide
MSM8960
Schematic including PM8921 WCD9310
MSM8969 Boot Architecture
MSM8960 Chipset Training - Intro & Overview
QSC
QSC6240/QSC6270 Single Chip User Guide
MDM Series Chips
62+6600 User Guide
8200 User Guide
JTAG Info
AND72J v1.0 25.04.2011 doc
JTAG ETM Interface for ARM9
Lauterebach - ARM JTAG Interface Specifications
Program for JTAG
From above site - H-JTAG v2.1
H-JTAG User Documents
MSM Devices.
Lauterbach Dev Tools - Debugging Linux GDB Android
Trace32 Training not Qualcomm.
MSM7227 Schematic Chip Infos
B4B-PH-K_LF_SN
JST - PH Connector Info
CCM03-3013-LFT-R102
C&K Components - SIM Holder
CM1213-08MR
CMD California Micro Devices - 1, 2, 4, 6 and 8-Channel Low Capacitance ESD Protection Arrays
DTC124EE
ROHM Semiconductor - 100mA/50V Digital Transistors
DTC144WE
ROHM Semiconductor - NPN 100mA/50V Transistor
EMIF02-MIC02F2
ST Microelectronics - EMI/RFI Filter
HEC3650-018010
HOSIDEN Electronic Components - DC Power Jacks
IP4047CX6-LF
NXP (founded by Philips) - ESD protection EMI filter Level shifter and buffer
LP5900TL-3.3
Texas Instruments - Ultra Low Noise, 150 mA Linear Regulator for RF/Analog Circuits Requires No Bypass Capacitor
LT3465FA
Linear Technology - 1.2MHz/2.4MHz White LED Drivers with Built-in Schottky in ThinSOT
Linear Technology - High Efficiency ThinSOT White LED Driver Features Internal Switch and Schottky Diode – Design Note 325
MT46H32-64M16-32LF
Micron - Mobile Low-Power DDR SDRAM
NC7SP34L6X
Fairchild Semiconductor - TinyLogic ULP Single Buffer
NC7SZ74
Fairchild Semiconductor - TinyLogic UHS D-Type Flip-Flop with Preset and Clear
PACDN1404-D
On Semiconductor - ESD Protection Arrays in Chip Scale Package
ISP1362
USB Schematic Philips - Philips ISP1362 USB On-The-Go Expansion Board For Accelent IDP's
0522P_0524P
Semtech - Ultra Low Capacitance TVS Arrays
SI2333DS-T1-E3
Vishay Siliconix - P-Channel 12-V (D-S) MOSFET
ZXTD2M832
Zetex Semiconductors - MPPS Miniature Package Power Solutions DUAL 20V PNP LOW SATURATION SWITCHING TRANSISTOR
Programs
QXDM - 3.9.19 Still using 80-V1241-21 Rev. A November 21, 2001
With update info for Expected Differences Between QCAT Version 4 and QCAT Version 5 Output - 2006
QXDM Software Users Guide 80-V1241-21 X2 September 13, 2001
Other Stuff I have come across, passed on, may be of use/interest ...
Intel - Hex Addressing/Recording - Hexadecimal Object File Format Specification
LG VS930 Service Manual
LG KS20 Service Manual pdf - just for interest.
How the Dalvik Virtual Machine works
Qualcomm Rex Boot - Needs Translating though!
AMSS Doc Translated - rtf
Qualcomm OS Kernel Code REX Translated - rtf
Generate Release Version Android System Signature Translated - rtf
Translated Boot doc 1
Translated boot doc 2
Multi-Core Communication - Original txt pdf
Multi-Core Communicaton - Translated
Wavecom Open AT Firmware 7.4
Boot/Kernel Analysis Docs -
Simple Analysis Android Kernel rtf
Android Boot Proc 01 rtf
Android Boot Proc 02 rtf
Linux Kernel Porting (mini2440) rtf
Qualcomm Boot Analysis rtf
U-Boot Analysis rtf
A Physically Addressed L4 Kernel paper - pdf
L4 User Manual API Version X2 pdf
A Secure MicroKernel pdf
This document is intent to provide detailed instruction on building the Android Gingerbread BSP on the
SMDKV210 board.15
Proof (screenshot) is attached.
Yes I managed to "chainload" a patched ("exploit inject" generated) HBOOT on the device via Fastboot. Have prefixed it with a small (assembly language) exploit code that moves it to over to physical zero and jumps into it, then put it into an Android boot image created with mkbootimg_wfs and booted that via Fastboot. You have to hold Vol-Down when issuing the Fastboot command, since obviously otherwise it won't get into bootloader mode but boot straight into ROM. It shows S-OFF and "*** INJECTED ***" (which is the string that the exploit leaves inside the HBOOT image to prove that it worked - I've "stolen" the idea from Revolutionary that show "*** REVOLUTIONARY ***" or something like that). Cannot test whether it actually "acts S-OFF" (allows stuff like "fastboot flash hboot" etc.) since I have no way to enter Fastboot mode. It will boot straight into the ROM after checking the SD card for the PG76IMG.nbh.
Don't want to publish yet since the image obviously contains an entire HBOOT and while I really want to gain S-OFF on the device, I also respect HTC's copyright on their code. I have to turn this into an exploit that generates the image from an HBOOT dump pulled off the phone itself since then I do not have to ship any HTC code with it, which I'd consider "fair".9Haha it works!
Code:~ # cat /proc/mtd dev: size erasesize name mtd0: 00100000 00040000 "misc" mtd1: 00500000 00040000 "recovery" mtd2: 00340000 00040000 "boot" mtd3: 10400000 00040000 "system" mtd4: 02300000 00040000 "cache" mtd5: 09600000 00040000 "userdata" mtd6: 00a00000 00040000 "devlog" mtd7: 02fc0000 00040000 "radio" ~ #
I had a fastboot image of unknown origin that probably couldn't do it for whatever reason. I now used the fastboot that ships with the Android SDK and this one does it.
So yes people, we have access to the Radio!
Code:~ # cat /dev/mtd/mtd7 > /sdcard/radio.img
Succeeds so I'm now having the Radio firmware right on my SD card!
So victory I'd say! We just have to find the flag now. Memory protection is gone! The rest is "good programming work" and "finding out how APIs work" for programming the Flash via mtd devices. It's not that trivial as you have to do quite sophisticated "ioctl" calls to explicitely erase pages before programming them again, otherwise the memory won't be writable. But like I said this is just coding skills and API knowledge. We have passed the challenge, Radio protection is dead!9GOT IT! PHONE SHOWS S-OFF! Bootloader is unusable though. Shows boot screen (including S-OFF), then checks SD card for PG76IMG.nbh, then boots into ROM. No chance to do anything. But I think that only SMALL modification is required now.
