Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,811,541 Members 54,134 Now Online
XDA Developers Android and Mobile Development Forum

[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!

Tip us?
 
csoulr666
Old
#2231  
csoulr666's Avatar
Senior Member
Thanks Meter 399
Posts: 1,394
Join Date: Jun 2011
Location: Aligarh
Anybody took a look here???
It might be possible that it could be ported to our WFS
If thou art commit a sin,thy reaper will punish thee!!!

Primary Phone:HTC One Mini 2
Current Rom:Stock Sense 6

Secondary Phone:HTC Wildfire S
Current Rom:CyanogenMod 9
Username Pronounciation:"See-soul-are-triple-six"

You are not the only living person with a problem! Search a bit before posting
 
schlund
Old
#2232  
Senior Member
Thanks Meter 1,069
Posts: 452
Join Date: Nov 2010

 
DONATE TO ME
Quote:
Originally Posted by csoulr666 View Post
Anybody took a look here???

It might be possible that it could be ported to our WFS
this will be the solution
Devices: HTC HD MINI (CM 7.2) | HTC WILDFIRE S (CM 7.2)
Developer for Android on Photon: http://code.google.com/p/photon-android/
My Photonic release: http://forum.xda-developers.com/show....php?t=1455555
My Photonic sources: https://github.com/schlund
goo.im Profile: http://goo.im/devs/schlund RSS-Feed: http://goo.im/rss/schlund
 
sythe179
Old
#2233  
Senior Member
Thanks Meter 32
Posts: 236
Join Date: Nov 2011

 
DONATE TO ME
They use old revolutionary code for a hboot that can write to the nand.

Sent from my HTC Wildfire S A510b using XDA
 
csoulr666
Old
#2234  
csoulr666's Avatar
Senior Member
Thanks Meter 399
Posts: 1,394
Join Date: Jun 2011
Location: Aligarh
but the point is that there doing it with phones which have their bootloaders unlocked via HTCdev................that's the main point
If thou art commit a sin,thy reaper will punish thee!!!

Primary Phone:HTC One Mini 2
Current Rom:Stock Sense 6

Secondary Phone:HTC Wildfire S
Current Rom:CyanogenMod 9
Username Pronounciation:"See-soul-are-triple-six"

You are not the only living person with a problem! Search a bit before posting
 
schlund
Old
#2235  
Senior Member
Thanks Meter 1,069
Posts: 452
Join Date: Nov 2010

 
DONATE TO ME
watch the wire trick!
Devices: HTC HD MINI (CM 7.2) | HTC WILDFIRE S (CM 7.2)
Developer for Android on Photon: http://code.google.com/p/photon-android/
My Photonic release: http://forum.xda-developers.com/show....php?t=1455555
My Photonic sources: https://github.com/schlund
goo.im Profile: http://goo.im/devs/schlund RSS-Feed: http://goo.im/rss/schlund
 
no.human.being
Old
#2236  
Senior Member
Thanks Meter 1,075
Posts: 984
Join Date: Oct 2011
Quote:
Very special thanks go to team revolutionary for the ground breaking work they did on custom hboots for HTC devices opening the door to fastboot enabled bootloaders. The hboots supplied by with/by JuopunutBear are based on, and entirely inspired by, their previous original work.
How can they "base something" on Revolutionary? Afaik, apart from the zergRush exploit, Revolutionary have not disclosed anything and their exploit code is heavily obfuscated.

That's the main problem we have. All the Android hackers are b*tching around and not disclosing what they did, so whenever there's a new exploit to be developed by someone else in the scene, they all have to figure it out again and again. Not very productive.

I understand that they want to get credit for their work, but they would still get that if they opened up their stuff. And the thing about "if we disclose the exploit the vulnerability will get fixed" is pure bullsh*t. The firmware is so vulnerable (e. g. the "HTCU" in "misc") and basically we're now at a point where we know how it's done, but we have to build all the kernel-level device driver stuff again. It's a shame!
 
einstein.frat
Old
#2237  
Account currently disabled
Thanks Meter 1,932
Posts: 509
Join Date: Mar 2012
it just needs some scary cake and a wire to s-off.
 
no.human.being
Old
(Last edited by no.human.being; 22nd April 2012 at 03:09 PM.)
#2238  
Senior Member
Thanks Meter 1,075
Posts: 984
Join Date: Oct 2011
Well it needs their software to S-OFF as well. Looks like they're pulling one of the lines of the processor's JTAG interface down to ground (expect the SIM card slot holder to be connected to AGND) for whetever reason.

And well, they also seem to be patching the HBOOT, since it says "JoupunutBear" on the top when booted into HBOOT mode, just like it says "Revolutionary" when S-OFFed via Revolutionary. So basically we're all doing the same, just with slightly different methods.
 
Antagonist42
Old
#2239  
Antagonist42's Avatar
Senior Member
Thanks Meter 192
Posts: 464
Join Date: Feb 2012
Location: Bolton
Quote:
Originally Posted by no.human.being View Post
Ok, so you claim that mARM's IO is connected to the memory bus, not aARM's, so that mARM has control over NAND and aARM needs to ask, e. g. via RPC, firmware running on mARM to access NAND on its behalf, which would put the Radio in a position where it could intervene our NAND access, essentially blocking us from writing to the unmapped (Radio) NAND area, right?
Roughly but not quite, don't forget that mARM processes most of the peripherals that are on the LSB (Low Speed Bus or EBI2) aARM is on the FSB (Fast Speed Bus or EBI1) dealing with user space running apps and the NAND'S DDR memory, both systems of ARM have access and relevant control for either EBI1 / 2, as you say aARM has control excusively over NAND (is that in a boot mode or full system running mode? or makes no difference?) this I think is partially true as to access or writing 'Except' which part of the NAND memory is 'Spin-Unlocked' which I think is controlled via either mARM or registers set through mARM to IMEM (verified with the access of Q-Fuses/Signature) to reboot the system with access to write to NAND 'And to spin the lock' {protected memory} to write to AMSS say at which time the 'system' area is protected as the lock is spun.

With the Micron NAND you can 'SET' how the pull-up to write on the NAND is done, either by Soldering a pin (or not - can't remember off the top of my head) and software programming the pull-up or it is only software doing the pull-up so previous systems may only have had NAND chips without this facility and maybe with the advent of NFC being rolled out it is being used now, which protects the NAND RADIO etc from being read whilst the Android system is running or unable to gain access because the spin-lock is not operated so no read/write or false reporting of read/write success.

And you maybe right that Revolutionary etc may have found out how to make the system 'pull-up' the write access but are ignoring the protected NAND areas so NFC may (I think) become vulnerable if there is nothing to stop it like passing a signature/Q-Fuse key.
Wanna get inside what ya got, gotta get out and find it..I found some!
THE END IS NIGH....S-OFF HERE WE COME...
The Latest ACER E320/C6 Rom From Xakep - Very Slick
ACER E320 1.005.00 ROM EUU
 
no.human.being
Old
#2240  
Senior Member
Thanks Meter 1,075
Posts: 984
Join Date: Oct 2011
Sure that you really mean spinlock? It's a mechanism for thread synchronization.

The Following User Says Thank You to no.human.being For This Useful Post: [ Click to Expand ]
Tags
bootloader, campaign, dev, exploit, hboot, htc, kernel, radio, s-off, secu-flag, wildfire s
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes