Bootloader Cracking : Devs only

goroh_kun · Jul 19, 2010

current usbloader

Hi, I uploaded current test version usbloader.

usbloader0 can boot directly from linux kernel.

Code:

cat usbloader0 > /proc/splboot/image
echo > /proc/splboot/boot

usbloader is mapped in physical address 0x0000,
this binary is included in usbloader0.
I tried to copy to 0x00 and automatic boot it.but it doesn't seems work well.
I'll debugging this problem.
but you can memcpy this image to 0x00 by fastboot, you can boot it.

on the screen after booting the usbloader0,
we can see where usbloader binary loaded.

Code:

input_data=300057cc
input_data_end=3000f73c

we can re-copy to 0, like this command from your PC command prompt.

Code:

fastboot getvar memcpy0,300057cc,9f70
fastboot getvar go0

here, 9f70 = 3000f73c-300057cc

you can boot your spl

Code:

fastboot flash mem0 /path/to/spl
fastboot getvar go0

here, mem0 means upload image to 0, if you want to upload different addrees,
you can use mem02b00000, mem01000000, etc.

I added many command to check how the CPU internal memory works.

Code:

fastboot getvar memcmp0,300057cc,9f70
- to check memcpy correct.

fastboot getvar memcpy0,300057cc,9f70
- memcpy from 0x300057cc to 0x00, size 9f70

fastboot getvar dump0,20
- show memory dump from 0x0000, 0x20(32) unsigned integers

fastboot getvar go0
- call function from 0x00,
  if you want boot usbloader0, just call "fastboot getvar go30000000".

fastboot reboot
- clear screen

fastboot flash mem0 testbin
- upload testbin to 0x00

fastboot getvar mem0,4
- get memory through  from 0x00-0x10.
I use this command for dump memory.
I attached a script named dump2mem.sh help you to get mem.

http://hotfile.com/dl/56074792/6f8edc4/usbloader_20100718.zip.html

goroh_kun · Jul 19, 2010

to dump ram_console

xperia uses the linux ram_console, it uses memory 0x37fe0000-0x38000000.
so you can see linux console log , by dumping the area from 0x37fe0000.

goroh_kun · Jul 20, 2010

current usbloader

Hi, I uploaded current usbloader.

http://hotfile.com/dl/56214684/24f6a11/usbloader_20100719.zip.html

New feature.

memset
log
memdump speed up
interrupt handling

see you next report..

goroh_kun · Jul 21, 2010

current works

Hi, just Yesterday night in Japan Local time,
I success to boot my own linux kernel, built fron source code, e-Sheep from SE.
but I have to disable many things like oncrpc, proc_com.. etc.
It's just because of Modem cpu crashed.
It seems when I boot SPL from original kernel. it goes crash.
from usbloader, I tried to use proc_com but I couldn't to use.
proc_com is used to ask something to modem cpu, like rebooting, turn off, play music,..etc).
so now I'm analizing whe modem crashed when usbloader bootup.

one idea is I have to notify restart Application CPU to Modem CPU.
There is interface to notify the reboot event to Modem CPU.
I can send this event, by this command.

Code:

mount -t debugfs debugfs /sys/kernel/debug
chmod 666 /sys/kernel/debug/modem_notifier/reboot_start
echo > /sys/kernel/debug/modem_notifier/reboot_start

I tried this, and we can see kernel log the event is reached to kernel driver.
after then, I tried to use proc_comm interface from usbloader.
but it's not work..
it seems more things I have to do before boot the usbloader.

see you next report.

irkkso · Jul 21, 2010

great work!

great work! I've been watching each new post in this topic ...

biktor_gj · Jul 21, 2010

About the baseband, you have to reboot armv6 cpu, then boot qualcomm's bootloader in there to make it boot again. Proc comm won't reply until the OS inside the baseband is loaded, and it won't boot until you tell it to. Also, we trash smem when booting the spl (we cut the kernel "the hard way" when we boot it), so unless we reboot it and let it write again and don't overlap the memory segment it will crash again.

Also mmu doesn't seem to be turned off before booting, and the cache doesn't seem to be stopped, so that will trash it all too. Resetting all the hardware on usbloader init.S would be a good idea...

goroh_kun said:
Hi, just Yesterday night in Japan Local time,
I success to boot my own linux kernel, built fron source code, e-Sheep from SE.
but I have to disable many things like oncrpc, proc_com.. etc.
It's just because of Modem cpu crashed.
It seems when I boot SPL from original kernel. it goes crash.
from usbloader, I tried to use proc_com but I couldn't to use.
proc_com is used to ask something to modem cpu, like rebooting, turn off, play music,..etc).
so now I'm analizing whe modem crashed when usbloader bootup.

one idea is I have to notify restart Application CPU to Modem CPU.
There is interface to notify the reboot event to Modem CPU.
I can send this event, by this command.

Code:

mount -t debugfs debugfs /sys/kernel/debug chmod 666 /sys/kernel/debug/modem_notifier/reboot_start echo > /sys/kernel/debug/modem_notifier/reboot_start

I tried this, and we can see kernel log the event is reached to kernel driver.
after then, I tried to use proc_comm interface from usbloader.
but it's not work..
it seems more things I have to do before boot the usbloader.

see you next report.

goroh_kun · Jul 21, 2010

how to disable smd_rpcrouter

Hi, I'm analizing how smd(shared memory driver) works,
MCPU & ACPU use smd channel 2(ch2) as rpc channel.

Code:

#cat /sys/kernel/debug/smd/ch
  ch02:   OPENED(5928/5928) DCCiwrs <->   OPENED(7980/7980) DRCiwrs
#cat /sys/kernel/debug/smd/tbl
ch00:   CLOSED(0000/0000) dcciwrs <->  CLOSING(0000/0000) DRCiwrS
ch01:   OPENED(0000/0000) DCCiwrs <->   OPENED(0000/0000) dRciwrs
ch02:   OPENED(5928/5928) DCCiwrs <->   OPENED(7980/7980) DRCiwrs
ch07:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) DRCiwrS
ch08:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) DRCiwrS
ch09:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) DRCiwrS
ch10:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) DRCiwrS
ch11:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) dRciwrS
ch12:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) dRciwrS
ch13:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) dRciwrS
ch17:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) DRCiwrS
ch39:   OPENED(0000/0000) DCCiwrs <->   OPENED(0000/0000) dRciwrs
ch40:   OPENED(0000/0000) DCCiwrs <->   OPENED(0000/0000) dRciwrs
ch42:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) DRCiwrS
ch43:   OPENED(0284/0284) DCCiwrs <->   OPENED(0232/0232) DRCiwrs
ch44:   OPENED(0000/0000) DCCiwrs <->   OPENED(0000/0000) DRCiwrs
ch45:   OPENED(0000/0000) DCCiwrs <->   OPENED(0000/0000) DRCiwrs
ch46:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) DRCiwrS
ch48:   OPENED(0232/0232) DCCiwrs <->   OPENED(0168/0168) DRCiwrs
ch49:   CLOSED(0000/0000) dcciwrs <->  OPENING(0000/0000) DRCiwrS
ch50:   CLOSED(0000/0000) dcciwrs <->  CLOSING(0000/0000) DRCiwrS
ch51:   CLOSED(0000/0000) dcciwrs <->  CLOSING(0000/0000) DRCiwrS
ch52:   CLOSED(0000/0000) dcciwrs <->  CLOSING(0000/0000) DRCiwrS

Other channels are used as modem, gps, etc.
RPC channel has a watchdog function.
We can see how it works from a source code in Kernel where
arch/arm/mach-msm/rpc_server_dog_keepalive.c

DOG_KEEPALIVE service program code = 0x30000015,
we can see transaction like this.

Code:

# cat /sys/kernel/debug/smem_log/dump_sym | grep 30000015
MODM:    2595523    ONCRPC: STD_CALL_ASYNC: 00000008 30000015 00000002 00000000 00000000 00000000
MODM:    2926645    ONCRPC: STD_CALL_ASYNC: 00000009 30000015 00000002 00000000 00000000 00000000
MODM:    3257785    ONCRPC: STD_CALL_ASYNC: 0000000a 30000015 00000002 00000000 00000000 00000000
MODM:    3588909    ONCRPC: STD_CALL_ASYNC: 0000000b 30000015 00000002 00000000 00000000 00000000
...

If we can stop this rpc calling from MCPU, it seems not going to crash.
or, I have to implement rpc replying function into usbloader..

see you next report.

biktor_gj · Jul 21, 2010

Maybe this comes handy (extracted from the code). Though I'm not completely sure that if it notifies a system_reboot to the amss the complete chipset will be resetted, but maybe worth a try

Code:

/* SEMC: Add functions to communicate with AMSS - start */
void smsm_wait_for_modem(void)
{
	uint32_t *smsm = NULL;
	unsigned long flags;

	printk(KERN_INFO "Waiting for Modem...\n");
	for (;;) {
		spin_lock_irqsave(&smem_lock, flags);
		if (smsm == NULL) {
			smsm = smem_alloc(ID_SHARED_STATE,
						SMSM_NUM_ENTRIES * sizeof(uint32_t));
		} else {
			if ((smsm[SMSM_MODEM_STATE] & SMSM_OSENTERED) != 0) {
				spin_unlock_irqrestore(&smem_lock, flags);
				break;
			}
		}
		spin_unlock_irqrestore(&smem_lock, flags);
		schedule();
	}

	return;
}

/* SEMC:CE: DMS00760180: Linux freezes when the phone crash during smd spin lock - start */
void smsm_notify_apps_crash(void)
{
	uint32_t *smsm;
	unsigned long flags;
	uint32_t old_state;

	/* smem_lock is already held and all instances of acquiring
	 * smem_lock use spin_lock_irqsave, so no need to acquire the
	 * lock again, as we are not in any critical section ...
	 *  
	 * Then why do we need the lock ? ... 
	 * Hmm If it is not already held , better to get the lock to 
	 * disable interrupts and prevent any further modificaiton of smsm[]
	 *
	 */ 
	if(!spin_is_locked(&smem_lock)) {
		spin_lock_irqsave(&smem_lock, flags);
		smsm = smem_alloc(ID_SHARED_STATE,
				SMSM_NUM_ENTRIES * sizeof(uint32_t));
		if (smsm != NULL) {
			old_state = smsm[SMSM_APPS_STATE];
			smsm[SMSM_APPS_STATE] |= SMSM_APPS_CRASHDUMP;
			notify_other_smsm(SMSM_APPS_STATE, old_state, smsm[SMSM_APPS_STATE]);
		}
		spin_unlock_irqrestore(&smem_lock, flags);
	}
	else {
		smsm = smem_alloc(ID_SHARED_STATE,
				SMSM_NUM_ENTRIES * sizeof(uint32_t));
		if (smsm != NULL) {
			old_state = smsm[SMSM_APPS_STATE];
			smsm[SMSM_APPS_STATE] |= SMSM_APPS_CRASHDUMP;
			notify_other_smsm(SMSM_APPS_STATE, old_state, smsm[SMSM_APPS_STATE]);
		}
	}
	return;
}

/* Acknowledge AMMS crash by setting SMSM_APPS_CRASHDUMP*/
void smsm_ack_amss_crash(void)
{
	uint32_t *smsm;

	smsm = smem_alloc(ID_SHARED_STATE,
				SMSM_NUM_ENTRIES * sizeof(uint32_t));
	if (smsm != NULL) {
		smsm[SMSM_APPS_STATE] |= SMSM_APPS_CRASHDUMP;
	}

	return;
}
/* SEMC:CE: DMS00760180: Linux freezes when the phone crash during smd spin lock - end */

void smsm_notify_system_reboot(void)
{
	uint32_t *smsm;
	unsigned long flags;
	uint32_t old_state;

/* SEMC:CE: DMS00760180: Linux freezes when the phone crash during smd spin lock - start */
	/* smem_lock is already held and all instances of acquiring
	 * smem_lock use spin_lock_irqsave, so no need to acquire the
	 * lock again, as we are not in any critical section ...
	 *  
	 * Then why do we need the lock ? ... 
	 * Hmm If it is not already held , better to get the lock to 
	 * disable interrupts and prevent any further modificaiton of smsm[]
	 *
	 */ 
	if(!spin_is_locked(&smem_lock)) {
		spin_lock_irqsave(&smem_lock, flags);
		smsm = smem_alloc(ID_SHARED_STATE,
				SMSM_NUM_ENTRIES * sizeof(uint32_t));
		if (smsm != NULL) {
			old_state = smsm[SMSM_APPS_STATE];
			smsm[SMSM_APPS_STATE] |= SMSM_SYSTEM_REBOOT;
			notify_other_smsm(SMSM_APPS_STATE, old_state, smsm[SMSM_APPS_STATE]);
		}
		spin_unlock_irqrestore(&smem_lock, flags);
	}
	else {
		smsm = smem_alloc(ID_SHARED_STATE,
				SMSM_NUM_ENTRIES * sizeof(uint32_t));
		if (smsm != NULL) {
			old_state = smsm[SMSM_APPS_STATE];
			smsm[SMSM_APPS_STATE] |= SMSM_SYSTEM_REBOOT;
			notify_other_smsm(SMSM_APPS_STATE, old_state, smsm[SMSM_APPS_STATE]);
		}
	}
/* SEMC:CE: DMS00760180: Linux freezes when the phone crash during smd spin lock - end */
	return;
}

Regards

goroh_kun · Jul 22, 2010

Hi,biktor_gj
I'll try port these functions to usbloader.
wait few hours.

goroh_kun · Jul 22, 2010

app_crash notify to MCPU

Hi, I tried to notify SMSM_SYSTEM_REBOOT event and SMSM_APPS_CRASHDUMP.
both of these events cause the ACPU reboot,
so original SPL and original Kernel boot up..

http://hotfile.com/dl/56736798/e54fb9f/usbloader_20100722.zip.html

I'll try to port the interrupt handling from MCPU.

see you next report..

jerpelea · Jul 27, 2010

cyanogen rc2 for x10 build 00005 will arrive tomorrow

can not be flashed for now

cvchetan · Jul 27, 2010

guys guys devs only..

if u want to discuss about this then open a thread for "other than devs"

ill sticky it if needed..

chetan

jerpelea · Jul 28, 2010

with actual state of spl it boots then crashes
you can play a lil with the new kernel included into package

build 0005
http://hotfile.com/dl/57983756/408a452/0005.rar.html

goroh_kun · Jul 29, 2010

current works, RPC keepalive reply is implemented.

I succeed to avoid MCPU crach in SPL.
I added RPC event handler to reply the RPC keepalive call from MCPU.
I found that MCPU doesn't crash anymore.

Next, I try to patch kernel to avoid re-initialize smem area,
and I added fake new service RPC events from MCPU to ACPU.
so now, I can use new Linux kernel from usbloader

http://hotfile.com/dl/58316988/b219136/loader_kernel.zip.html

this is for developer, now I prepare a release version.

thanks. and please wait next report.

Bin4ry · Jul 29, 2010

WWWWWWOOOOOOOOOOOOOOOOOOOOWWWWWWWWWWWWWWWWWWWW!!!!!!!!!!!!!
GOROH YOU ARE THE BEST

))))

Regards
Andreas

goroh_kun said:
I succeed to avoid MCPU crach in SPL.
I added RPC event handler to reply the RPC keepalive call from MCPU.
I found that MCPU doesn't crash anymore.

Next, I try to patch kernel to avoid re-initialize smem area,
and I added fake new service RPC events from MCPU to ACPU.
so now, I can use new Linux kernel from usbloader

http://hotfile.com/dl/58316988/b219136/loader_kernel.zip.html

this is for developer, now I prepare a release version.

thanks. and please wait next report.

biktor_gj · Jul 29, 2010

Lots, lots, lots and lots of thanks goroh. You are the best!

jerpelea · Jul 30, 2010

thanks
for loader

smd_rpcrouter.c
is broken and will not compile
will try debugging

@.config -why do you use s1 loader
we can use qualcom loader (see configs folder)

Cablekevin · Jul 30, 2010

goroh_kun said:
I succeed to avoid MCPU crach in SPL.
I added RPC event handler to reply the RPC keepalive call from MCPU.
I found that MCPU doesn't crash anymore.

Next, I try to patch kernel to avoid re-initialize smem area,
and I added fake new service RPC events from MCPU to ACPU.
so now, I can use new Linux kernel from usbloader

http://hotfile.com/dl/58316988/b219136/loader_kernel.zip.html

this is for developer, now I prepare a release version.

thanks. and please wait next report.

This was the thing that went wrong time after time? Or am i not getting the complete picture.

goroh_kun · Jul 30, 2010

try this

this is my build. could you try this?

http://hotfile.com/dl/58561546/11c993e/boot-new.zip.html

anyway, I'll upload whole source code first.

goroh_kun · Jul 30, 2010

patchec kernel source code

Hi, I uploaded patched kernel source code.

http://hotfile.com/dl/58576670/b835c4a/X10_Donut_100325_01_patched.tgz.html

after build kernel image, I made the boot.img like this

Code:

cp arch/arm/boot/Image .
./mkbootimg --kernel Image --ramdisk ramdisk.gz --base 0x20000000 -o boot-new.img

I'm now working to update splboot and usbloader,
I think it's possible to boot kernel image directly from splboot module.
we have many results by analyzing using usbloader

Bootloader Cracking : Devs only

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Recognized Developer

Retired Forum Moderator

Senior Recognized Developer

Senior Member

Inactive Recognized Developer

Senior Member

Senior Recognized Developer

Senior Member

Senior Member

Senior Member

Similar threads

Top Liked Posts