Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,733,782 Members 45,284 Now Online
XDA Developers Android and Mobile Development Forum

[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!

Tip us?
 
Antagonist42
Old
#2241  
Antagonist42's Avatar
Senior Member
Thanks Meter 190
Posts: 448
Join Date: Feb 2012
Location: Bolton
Not specifically but found several points .bin reading with spinlock to do with NAND, there is also the lock and unlock which the whole thing is 'spun' and also using spinlocks to deliberately 'tie up' ports.... If I'm confusing things then my apologies as it's what I've been reading and come across myself and it could be two acronyms meanings for different things lol (just my luck )
Wanna get inside what ya got, gotta get out and find it..I found some!
THE END IS NIGH....S-OFF HERE WE COME...
The Latest ACER E320/C6 Rom From Xakep - Very Slick
ACER E320 1.005.00 ROM EUU
 
heavy_metal_man
Old
#2242  
heavy_metal_man's Avatar
Recognized Contributor
Thanks Meter 679
Posts: 2,486
Join Date: Nov 2011

 
DONATE TO ME
Hey guys random thought. Does the enghboot have a kernal built into it? Or flashed with it? The phones have to have a way to write to that partition natively. Is there no way to find and utilize this?

sent from my android powered beast!

 
Devices
-> HTC wildfire (buzz)- currently testing all sorts.

-> HTC wildfire BEE
s-on HTC-dev unlocked
rom: my cooked rom
-> HTC sensation XE
Died a horrible overheating death
-> Nexus 7 32gb wifi
Bootloader unlocked
Rom: ParanoidAndroid 3.1
-> Htc desire s
xtc clip s-off/simunlocked/supercid
revolutionary hboot 7.00.1002
testing roms....
 
theq86
Old
#2243  
theq86's Avatar
Senior Member
Thanks Meter 724
Posts: 918
Join Date: Jan 2009
Location: Nuremberg

 
DONATE TO ME
Quote:
Originally Posted by heavy_metal_man View Post
Hey guys random thought. Does the enghboot have a kernal built into it? Or flashed with it? The phones have to have a way to write to that partition natively. Is there no way to find and utilize this?

sent from my android powered beast!
hboots do not have a kernel. the simple task it has to do does not require one.
Please Search the forums and ask your questions there. I'm no personal supporter.
HTC One (m7_ul)
 
no.human.being
Old
(Last edited by no.human.being; 23rd April 2012 at 07:17 PM.)
#2244  
Senior Member
Thanks Meter 1074
Posts: 979
Join Date: Oct 2011
Yeah, HBOOT runs "on the metal" (no operating system beneath). Now as far as I understand there are two possible scenarios and we don't know for sure which one is implemented.

1. HBOOT sends "unlock" commands directly to the memory controller before booting the kernel. If this was the case, we'd have to modify the kernel to send more "unlock" commands after it has been booted.

2. HBOOT tells the Radio what to unlock via RPC and only Radio can talk to the memory controller. If this was the case, we may not only need to find a way of RPCing the Radio from within Android, but also a way of making it believe that we are HBOOT.

Case 1 is the "good case" and it's the case for e. g. the HTC Vision, where the NAND lock has already been broken, so I hope it's the case for the WFS as well.

Case 2 is much much worse, since the Radio could actually make use of cryptography to ensure that the HBOOT is authentic before fulfilling its requests. I think we'd be pretty much doomed if that was the case and there probably wouldn't be a way of breaking security other than xtc-clip or faking the signature of a patched HBOOT (which is infeasible when implemented correctly and private keys not leaked) or directly programmiing the chip via JTAG.
The Following User Says Thank You to no.human.being For This Useful Post: [ Click to Expand ]
 
heavy_metal_man
Old
#2245  
heavy_metal_man's Avatar
Recognized Contributor
Thanks Meter 679
Posts: 2,486
Join Date: Nov 2011

 
DONATE TO ME
Bummer. Any luck with getting a kernals to go?

sent from my android powered beast!

 
Devices
-> HTC wildfire (buzz)- currently testing all sorts.

-> HTC wildfire BEE
s-on HTC-dev unlocked
rom: my cooked rom
-> HTC sensation XE
Died a horrible overheating death
-> Nexus 7 32gb wifi
Bootloader unlocked
Rom: ParanoidAndroid 3.1
-> Htc desire s
xtc clip s-off/simunlocked/supercid
revolutionary hboot 7.00.1002
testing roms....
The Following User Says Thank You to heavy_metal_man For This Useful Post: [ Click to Expand ]
 
Wolf Pup
Old
#2246  
Wolf Pup's Avatar
Senior Member
Thanks Meter 289
Posts: 3,717
Join Date: Jan 2011
Location: I live in the TARDIS

 
DONATE TO ME
****. I don't like Case 2. How does XTC do it. Directly changing the byte or by patching HBOOT? Come on! If XTC can do it, so can we! Can someone please summarize what is happening at the moment.
I've lost track. And should the OP update the OP?

Sent from my HTC Wildfire S A510e using XDA
Devices:
 

SGS3 Intl (Current Device)
HTC WFS (Stolen)
HTC TyTn (WM6)

Fun Stuff:
 

I have a TARDIS. All my messages are sent from my TARDIS. I also have a Sonic Screwdriver.
I'm a Doctor Who addict.
I like Minecraft
Quote:
Originally Posted by conantroutman View Post
You people make me sick......

If you wish, please drop me an internet. Thanks.
The Following User Says Thank You to Wolf Pup For This Useful Post: [ Click to Expand ]
 
theq86
Old
#2247  
theq86's Avatar
Senior Member
Thanks Meter 724
Posts: 918
Join Date: Jan 2009
Location: Nuremberg

 
DONATE TO ME
even case2 is not unbreakable. the keys needed must be stored somewhere.

to come back to the clip: it does no magic. it mimics a probably leaked htc service sim and flashs the diagnostics tool. that does s-off. once s-off you can write supercid.

the most important thing is the sim emulator.
Please Search the forums and ask your questions there. I'm no personal supporter.
HTC One (m7_ul)
The Following User Says Thank You to theq86 For This Useful Post: [ Click to Expand ]
 
einstein.frat
Old
#2248  
Account currently disabled
Thanks Meter 1928
Posts: 509
Join Date: Mar 2012
There is a possiblity that dopounutbear wire method works on ws, open the ws you will see contacts, let dopounutbear do its thing and its s off like the xtc clip style.
The Following User Says Thank You to einstein.frat For This Useful Post: [ Click to Expand ]
 
Antagonist42
Old
#2249  
Antagonist42's Avatar
Senior Member
Thanks Meter 190
Posts: 448
Join Date: Feb 2012
Location: Bolton
Directly programming which chip? the MMU or mARM via Jtag?

Qualcomm make specific use of protecting access to areas mARM stores security so Jtag can only access 'indirectly' via authentic software or have the keys/signature (forcing use of Jtag blows remaining Q-Fuses making finding the original Q-Fuse sequences even harder), aARM you can use Jtag on but even then to get in that way to mARM you still need the keys/signature to get into mARM's protected areas (if I remember rightly more specifically a 64kB section in IMEM's 256kB area in mARM) which mARM sets up during PBL and then has no direct access to it.

This is where I think using Official updates that we could alter may at least offer the best way in without crippling or destroying security, which to a certain extent helps protect the whole phone from being exposed to being hacked from outside sources other than the user (if you made use of the NFC and you have a rogue app that copies data and transmits it, essentially we'd have exposed our bank details for them )
Wanna get inside what ya got, gotta get out and find it..I found some!
THE END IS NIGH....S-OFF HERE WE COME...
The Latest ACER E320/C6 Rom From Xakep - Very Slick
ACER E320 1.005.00 ROM EUU
The Following User Says Thank You to Antagonist42 For This Useful Post: [ Click to Expand ]
 
heavy_metal_man
Old
#2250  
heavy_metal_man's Avatar
Recognized Contributor
Thanks Meter 679
Posts: 2,486
Join Date: Nov 2011

 
DONATE TO ME
Well again I have a xtc clip in Scotland if anyone is willing to provide a phone we can do the dumps and see

sent from my android powered beast!

 
Devices
-> HTC wildfire (buzz)- currently testing all sorts.

-> HTC wildfire BEE
s-on HTC-dev unlocked
rom: my cooked rom
-> HTC sensation XE
Died a horrible overheating death
-> Nexus 7 32gb wifi
Bootloader unlocked
Rom: ParanoidAndroid 3.1
-> Htc desire s
xtc clip s-off/simunlocked/supercid
revolutionary hboot 7.00.1002
testing roms....

The Following User Says Thank You to heavy_metal_man For This Useful Post: [ Click to Expand ]
Tags
bootloader, campaign, dev, exploit, hboot, htc, kernel, radio, s-off, secu-flag, wildfire s
Thread Tools
Display Modes