Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,806,018 Members 45,371 Now Online
XDA Developers Android and Mobile Development Forum

[Q] How to edit Skrilax_CZ or Mioze7Ae's OpenRecovery to work on XT711?

Tip us?
 
Mioze7Ae
Old
#21  
Mioze7Ae's Avatar
Retired Recognized Developer
Thanks Meter 2,096
Posts: 2,153
Join Date: Dec 2010
Location: Queen City of the West
OK, that means the hijack is installed, but there's something wrong with the bootstrap or the switch from lite to full recovery. I need to think about how to debug this.

If you remove the sdcard and boot while holding volume-up does it also get stuck at the (M)?

How did you get into OpenRecovery lite?
Milestone XT720 -- CM6.3.6.2/github -- OpenRecoveryXT720 -- fastboot kernels -- SBF master thread/mirrors -- reverendkjr's video tutorials
SD card/app2ext/Link2SD problems: ORXT720 > "SD Card Utilities" > "Save diagnostics" and post /sdcard/sdcard-info.txt
The Following User Says Thank You to Mioze7Ae For This Useful Post: [ Click to Expand ]
 
telnet777
Old
#22  
telnet777's Avatar
Senior Member - OP
Thanks Meter 38
Posts: 133
Join Date: Feb 2012
We use the OpenRecovery.apk downloaded from somewhere.
Installation is successful, then when press recovery boot the phone restart five or six times then entered to lite version.

Motorola MILESTONE XT720 Open Recovery
Lite Version
Created by Skrilax_CZ

Then we tried Dexter's OpenRecovery downloaded from here:
http://forum.xda-developers.com/showthread.php?t=971337

It also entered lite version but entered lite version immediately. No reboot several times.
 
telnet777
Old
#23  
telnet777's Avatar
Senior Member - OP
Thanks Meter 38
Posts: 133
Join Date: Feb 2012
Quote:
Originally Posted by Mioze7Ae View Post
OK, that means the hijack is installed, but there's something wrong with the bootstrap or the switch from lite to full recovery. I need to think about how to debug this.

If you remove the sdcard and boot while holding volume-up does it also get stuck at the (M)?

How did you get into OpenRecovery lite?


We are now tring to remove the sdcard and boot while holding volume-up.

It seems the same as when sdcard is inserted in the phone.

hhcat had said switch.sh use "STR" to transffer fstab, maybe changes should be made according to XT711. And it is very easy to do so.
 
telnet777
Old
#24  
telnet777's Avatar
Senior Member - OP
Thanks Meter 38
Posts: 133
Join Date: Feb 2012
I need apologize to "小⑨一只". I've made a mistake yesterday. He is a boy in high school, not a girl. Much thanks to him.

With the aid of him, we arrived at this point because I have no XT711 in hand at the moment.
 
telnet777
Old
(Last edited by telnet777; 23rd February 2012 at 06:41 AM.)
#25  
telnet777's Avatar
Senior Member - OP
Thanks Meter 38
Posts: 133
Join Date: Feb 2012
Another good news!
hhcat just told me he'll test android 2.3 on XT711 this weekend. He think there is no big problem with open recovery such as compare partition info with XT720 and make some changes. Maybe he'll need ask some questions about it on XDA.

Thank you, Mioze7Ae. Without your detailed reply, we can not go further step by step and see morning twilight now! And I learned much in these six days.
 
hhcat
Old
#26  
hhcat's Avatar
Member
Thanks Meter 59
Posts: 41
Join Date: Dec 2011
Quote:
Originally Posted by Mioze7Ae View Post
I re-checked and you're right. I was remembering a different step where it runs "/system/persistent/orbootstrap/utils/install.%s.btsh" and the %s is detected. I think that is always install.mapphone_umts.rc. The STR is selected when you run the OpenRecovery install.sh, so it's not probed. Sorry for incorrect info.


The hijack is done in /system/bin/sh

Basically if you look at /init.mapphone_umts.rc, very early in boot it runs a script called /init_prep_keypad.sh. init_prep_keypad.sh is a shell script that is run by /system/bin/sh (the first line of /init_prep_keypad.sh is #!/system/bin/sh, so /system/bin/sh is started to read the commands from /init_prep_keypad.sh). This is the first time during boot that anything from /system is executed (/system isn't signature checked). Skrilax_CZ's hijacked /system/bin/sh does the following things:

1. If the volume up key is down *or* /cache/.boot_to_or file is present it runs /system/persistent/orbootstrap/utils/install.mapphone_umts.btsh
2. (On my version) if volume down is pressed -- reboot to fastboot bootloader
3. Check if /system/bin/sh_hijack.sh exists, if so run that
4. Otherwise it just runs /init_prep_keypad.sh

/system/persistent/orbootstrap/utils/install.mapphone_umts.btsh defaults to "OpenRecovery Lite". If /sdcard/OpenRecovery.zip is available that is applied and it "switches" to full OpenRecovery.

/system/bin/sh_hijack.sh reconfigures the / filesystem (on XT720 and A853 usually just by copying the contents of /system/etc/rootfs) and eventually calls /system/bin/2nd-init which restarts /init. This is how we get around the signature check. The / filesystem comes from boot.img so we can't modify it. But it is read into RAM at boot and we can modify it in RAM once we have control.

The source for the hijacked sh is here:
http://gitorious.org/droid/openrecov...ry/btsh/main.c

There's a somewhat confusing description of what 2nd-init does by cvpcs here: http://cvpcs.org/blog/2011-06-14/2nd...d_how_it_works

NOTE: which binary to hijack varies by phone--some hijack mot_boot_mode, some hijack logwrapper--it all depends on what the stock boot does. On Milestone A853, Milestone XT720 and Motoroi XT720, the sh-hijack is the correct one.

I hope that makes sense, but I may be too comfortable with it.


/system is only check during the first boot after sbf flash of the system partition. The init_prep_keypad.sh script in particular can modify /system so signatures there can be quickly invalid under normal operation.

There's a lot of very good information about the bootloader security on www.droid-developers.org

I also like this blog post by [mbm] http://blog.opticaldelusion.org/2010...-efuse-is.html -- this is what cleared things up for me initially.

In the CDT partition table, partitions that are "type 1" are checked each boot, and "type 5" is only checked once immediately after sbf flash:
http://www.droid-developers.org/wiki/CDT_Milestone
I think that information about whether the type 5 partitions have been checked is stored in sp (CG41). Anyway, the take away message is boot.img is always checked, system.img is checked once and may be modified afterwards.
Mioze7Ae, great thanks for your explanations!
Now I knew we used "hijacked sh" to replace the stocked "sh", and "hijacked sh" will call to script install.mapphone_umts.bt.sh. And reading install.mapphone_umts.bt.sh, I found the last line is to call to 2nd-init.
But 2nd-init is a binary file, and I am not able to figure out what does 2nd-init do. Does 2nd-init binary finally to execute certain script on sdcard, e.g. switch.sh? What is the entrance to start OpenRecovery?
The Following 2 Users Say Thank You to hhcat For This Useful Post: [ Click to Expand ]
 
charles98
Old
#27  
Junior Member
Thanks Meter 0
Posts: 15
Join Date: Feb 2012
I don't seem to be able to decompile
 
telnet777
Old
#28  
telnet777's Avatar
Senior Member - OP
Thanks Meter 38
Posts: 133
Join Date: Feb 2012
Quote:
Originally Posted by hhcat View Post
Mioze7Ae, great thanks for your explanations!
Now I knew we used "hijacked sh" to replace the stocked "sh", and "hijacked sh" will call to script install.mapphone_umts.bt.sh. And reading install.mapphone_umts.bt.sh, I found the last line is to call to 2nd-init.
But 2nd-init is a binary file, and I am not able to figure out what does 2nd-init do. Does 2nd-init binary finally to execute certain script on sdcard, e.g. switch.sh? What is the entrance to start OpenRecovery?

I have the same question when I try to read this file. How does the OpenRecovery works? who can explain the procedure step by step?
 
hhcat
Old
#29  
hhcat's Avatar
Member
Thanks Meter 59
Posts: 41
Join Date: Dec 2011
Quote:
Originally Posted by Mioze7Ae View Post
OK, that means the hijack is installed, but there's something wrong with the bootstrap or the switch from lite to full recovery. I need to think about how to debug this.

If you remove the sdcard and boot while holding volume-up does it also get stuck at the (M)?

How did you get into OpenRecovery lite?
I found "logo" flash may not work in OpenRecovery for xt720. Is this true?
In the file fstab.STCU, there are /system, /data, /cache, /cdrom, but no /logo in it.
The Following 2 Users Say Thank You to hhcat For This Useful Post: [ Click to Expand ]
 
Mioze7Ae
Old
(Last edited by Mioze7Ae; 23rd February 2012 at 03:23 PM.)
#30  
Mioze7Ae's Avatar
Retired Recognized Developer
Thanks Meter 2,096
Posts: 2,153
Join Date: Dec 2010
Location: Queen City of the West
Logo isn't mounted ever, it's used by the bootloader before linux is even loaded (it's the white (M) logo you see when you turn the phone on. We have flashed different boot.img on XT720. http://forum.xda-developers.com/showthread.php?p=11981953


2nd-init causes the /init process to restart. /init executes commands from /init.rc and /init.mapphone_umts.rc. All of /init, /init.rc, and /init.mapphone_umts.rc are inside boot.img and signature checked before they are loaded into RAM during boot. So, to change them, sh_hijack.sh modifies the copies in the RAM disk and uses 2nd-init to restart the /init process. The source for 2nd-init is in skrilax_cz's openrecovery code on gitorious. I'll give a link when I get to a computer. The link I gave earlier to cvpcs's blog explains how 2nd-init causes /init to restart, but I don't think those details are very important for this. XT711 is linux 2.6.29?
Milestone XT720 -- CM6.3.6.2/github -- OpenRecoveryXT720 -- fastboot kernels -- SBF master thread/mirrors -- reverendkjr's video tutorials
SD card/app2ext/Link2SD problems: ORXT720 > "SD Card Utilities" > "Save diagnostics" and post /sdcard/sdcard-info.txt

The Following User Says Thank You to Mioze7Ae For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes