W
Wolf Pup
Guest
Uhhhhh...... That's what we did, long ago.If someone S-OFF could perform a dump of his unmapped memory after toggling on/off the secu_flag, maybe we will see where it is hiding.
Uhhhhh...... That's what we did, long ago.If someone S-OFF could perform a dump of his unmapped memory after toggling on/off the secu_flag, maybe we will see where it is hiding.
No, it's not. Nobody dumped a thing with this ENG HBOOT.
No, it's not. Nobody dumped a thing with this ENG HBOOT.
Don't take it offensive, but most of your posts are kinda useless here. If you just want to say "Come on guys !", "Yeah ! Let's do it this way !", "I don't get a thing of your last post", or post an "Hello world" in Java or ask questions about our personal lifes, just don't. Sorry if I seem mean.
EDIT : And please, change this blinking signature, it gives headaches to no.human.being.
Sorry.
Like stated before, I say we work with the HTC Aria/Salsa people so we can get S-OFF.
pleeaseif you want i can dig into the kernel source and see if there is anything that repects the S-ON flag and show disable that so the expoilt can run sucessfully?
no problem might take me a few days to check each boot file for any secu_flag statments etc
If the ENG HBOOT is working like theq86 said, it could be easier to find the real @secu_flag than with the XTC-Clip method.
If the ENG HBOOT is working like theq86 said, it could be easier to find the real @secu_flag than with the XTC-Clip method.
The XTC-Clip mades various changes on the device (secu_flag, SuperCID and SIM unlock) and needs a reboot at the and of the operation. With this ENG HBOOT, a S-OFF user could simply flip the real bit with "fastboot oem readsecureflag" and "fastboot oem writesecureflag" and no reboot will be needed probably.
If it works and if the @secu_flag is really on the NAND, comparing the before/after dumps will be as easy as ABC.
I didn't find any infos about the ENG HBOOT 0.81.2000 however. I don't know where *se-nsei. got it and I saw nobody here reports it working good. :-/
Is it still illegal if you do the modification only for yourself on your own phone and do not distribute the modified code? Also: do you legally have to restore everything to stock if you sell the phone or give it away?
(I'm on my phone...)
Is it still illegal if you do the modification only for yourself on your own phone and do not distribute the modified code? Also: do you legally have to restore everything to stock if you sell the phone or give it away?
(I'm on my phone...)
its not illegal to modify your phone as it your property for example when apple took George Francis Hotz aka geohot to court about him breaking the iphone bootloaders etc the courts dropped the case because its not illegal to do
Well I basically did a lot of of low-level (mostly hardware) stuff to the phone recently, not so much actual development. I found out how to configure OpenOCD (don't know whether the configuration is any good, since lots of values are more "good guesses" than actual knowledge but at least it's a starting point). I found how to get the board to boot without being attached to the Lithium cell which is not important for getting JTAG access (because this works as long as the board has power supply, being booted is not neccessary for JTAG to work) but will later be needed for tracing through the boot code, since the phone won't boot without what it thinks is a Lithium cell. However, I didn't get the debugger running yet. I suspect that the processor's logic level might be too low for the JTAG equipment. I don't really have an idea how to work around that yet, I might need to build a circuit that boosts the processor's JTAG signal to the appropriate voltage level (a so-called "level-shifter").
Apart from that munjeni and Antagonist42 also seem to make progress, but I must admit that I wasn't really able to keep track of all the things that they were doing recently. So basically we're now down at the actual physical layer and messing around with the electrical stuff that's going on on the phone's board and trying to find a way of actually talking to the processor to get the on-chip debugging working.
The far goal will be getting a patched HBOOT that has signature verification removed loaded into the device's memory via JTAG, then flash a patched HBOOT image via Fastboot. If this works it will be the first S-OFF GSM WFS that's neither shipped S-OFF nor turned S-OFF via xtc-clip, but this might still be a long long way.
.... Files and Documents Scavenged from the net for our use .. enjoy ....
Please message me if you require the docs and HAVE 10 "relevant" / "DEV-MOD" postings as "10 and in" to satisfy postings and links requirements will be ignored.
Great! How you got it? Trought fastboot boot command?? Maybe I can help? If this can working there will be a lot off s-off devices using your method!If you no want to risk I will test your code on my aria!
~ # cat /proc/mtd
dev: size erasesize name
mtd0: 00100000 00040000 "misc"
mtd1: 00500000 00040000 "recovery"
mtd2: 00340000 00040000 "boot"
mtd3: 10400000 00040000 "system"
mtd4: 02300000 00040000 "cache"
mtd5: 09600000 00040000 "userdata"
mtd6: 00a00000 00040000 "devlog"
mtd7: 02fc0000 00040000 "radio"
~ #
~ # cat /dev/mtd/mtd7 > /sdcard/radio.img