Post Reply

[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!

OP *se-nsei.

22nd April 2012, 07:32 PM   |  #2241  
Antagonist42's Avatar
Senior Member
Flag Bolton
Thanks Meter: 195
 
473 posts
Join Date:Joined: Feb 2012
More
Not specifically but found several points .bin reading with spinlock to do with NAND, there is also the lock and unlock which the whole thing is 'spun' and also using spinlocks to deliberately 'tie up' ports.... If I'm confusing things then my apologies as it's what I've been reading and come across myself and it could be two acronyms meanings for different things lol (just my luck )
22nd April 2012, 09:17 PM   |  #2242  
heavy_metal_man's Avatar
Recognized Contributor
Thanks Meter: 709
 
2,593 posts
Join Date:Joined: Nov 2011
Donate to Me
More
Hey guys random thought. Does the enghboot have a kernal built into it? Or flashed with it? The phones have to have a way to write to that partition natively. Is there no way to find and utilize this?

sent from my android powered beast!
22nd April 2012, 11:03 PM   |  #2243  
theq86's Avatar
Senior Member
Flag Nuremberg
Thanks Meter: 732
 
918 posts
Join Date:Joined: Jan 2009
Donate to Me
More
Quote:
Originally Posted by heavy_metal_man

Hey guys random thought. Does the enghboot have a kernal built into it? Or flashed with it? The phones have to have a way to write to that partition natively. Is there no way to find and utilize this?

sent from my android powered beast!

hboots do not have a kernel. the simple task it has to do does not require one.
23rd April 2012, 07:14 PM   |  #2244  
Senior Member
Thanks Meter: 1,075
 
984 posts
Join Date:Joined: Oct 2011
Yeah, HBOOT runs "on the metal" (no operating system beneath). Now as far as I understand there are two possible scenarios and we don't know for sure which one is implemented.

1. HBOOT sends "unlock" commands directly to the memory controller before booting the kernel. If this was the case, we'd have to modify the kernel to send more "unlock" commands after it has been booted.

2. HBOOT tells the Radio what to unlock via RPC and only Radio can talk to the memory controller. If this was the case, we may not only need to find a way of RPCing the Radio from within Android, but also a way of making it believe that we are HBOOT.

Case 1 is the "good case" and it's the case for e. g. the HTC Vision, where the NAND lock has already been broken, so I hope it's the case for the WFS as well.

Case 2 is much much worse, since the Radio could actually make use of cryptography to ensure that the HBOOT is authentic before fulfilling its requests. I think we'd be pretty much doomed if that was the case and there probably wouldn't be a way of breaking security other than xtc-clip or faking the signature of a patched HBOOT (which is infeasible when implemented correctly and private keys not leaked) or directly programmiing the chip via JTAG.
Last edited by no.human.being; 23rd April 2012 at 07:17 PM.
The Following User Says Thank You to no.human.being For This Useful Post: [ View ]
23rd April 2012, 09:16 PM   |  #2245  
heavy_metal_man's Avatar
Recognized Contributor
Thanks Meter: 709
 
2,593 posts
Join Date:Joined: Nov 2011
Donate to Me
More
Bummer. Any luck with getting a kernals to go?

sent from my android powered beast!
The Following User Says Thank You to heavy_metal_man For This Useful Post: [ View ]
23rd April 2012, 09:41 PM   |  #2246  
Wolf Pup's Avatar
Senior Member
Flag I live in the TARDIS
Thanks Meter: 290
 
3,726 posts
Join Date:Joined: Jan 2011
More
****. I don't like Case 2. How does XTC do it. Directly changing the byte or by patching HBOOT? Come on! If XTC can do it, so can we! Can someone please summarize what is happening at the moment.
I've lost track. And should the OP update the OP?

Sent from my HTC Wildfire S A510e using XDA
The Following User Says Thank You to Wolf Pup For This Useful Post: [ View ]
23rd April 2012, 10:05 PM   |  #2247  
theq86's Avatar
Senior Member
Flag Nuremberg
Thanks Meter: 732
 
918 posts
Join Date:Joined: Jan 2009
Donate to Me
More
even case2 is not unbreakable. the keys needed must be stored somewhere.

to come back to the clip: it does no magic. it mimics a probably leaked htc service sim and flashs the diagnostics tool. that does s-off. once s-off you can write supercid.

the most important thing is the sim emulator.
The Following User Says Thank You to theq86 For This Useful Post: [ View ]
24th April 2012, 04:14 AM   |  #2248  
Account currently disabled
Thanks Meter: 1,933
 
509 posts
Join Date:Joined: Mar 2012
There is a possiblity that dopounutbear wire method works on ws, open the ws you will see contacts, let dopounutbear do its thing and its s off like the xtc clip style.
The Following User Says Thank You to einstein.frat For This Useful Post: [ View ]
24th April 2012, 04:27 AM   |  #2249  
Antagonist42's Avatar
Senior Member
Flag Bolton
Thanks Meter: 195
 
473 posts
Join Date:Joined: Feb 2012
More
Directly programming which chip? the MMU or mARM via Jtag?

Qualcomm make specific use of protecting access to areas mARM stores security so Jtag can only access 'indirectly' via authentic software or have the keys/signature (forcing use of Jtag blows remaining Q-Fuses making finding the original Q-Fuse sequences even harder), aARM you can use Jtag on but even then to get in that way to mARM you still need the keys/signature to get into mARM's protected areas (if I remember rightly more specifically a 64kB section in IMEM's 256kB area in mARM) which mARM sets up during PBL and then has no direct access to it.

This is where I think using Official updates that we could alter may at least offer the best way in without crippling or destroying security, which to a certain extent helps protect the whole phone from being exposed to being hacked from outside sources other than the user (if you made use of the NFC and you have a rogue app that copies data and transmits it, essentially we'd have exposed our bank details for them )
The Following User Says Thank You to Antagonist42 For This Useful Post: [ View ]
24th April 2012, 06:39 AM   |  #2250  
heavy_metal_man's Avatar
Recognized Contributor
Thanks Meter: 709
 
2,593 posts
Join Date:Joined: Nov 2011
Donate to Me
More
Well again I have a xtc clip in Scotland if anyone is willing to provide a phone we can do the dumps and see

sent from my android powered beast!

The Following User Says Thank You to heavy_metal_man For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Tags
bootloader, campaign, dev, exploit, hboot, htc, kernel, radio, s-off, secu-flag, wildfire s
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes