The opening of the Wave bootloader through FOTA

Search This thread

adfree

Senior Member
Jun 14, 2008
10,615
6,172
Samsung Galaxy Watch 4
Samsung Galaxy S22
  • Like
Reactions: Rebellos

Rebellos

Senior Recognized Developer
May 13, 2009
1,353
3,428
Gdańsk
SW Version (software?):
S8530CXJK3 (is it all about the last 5 symbols?)
HW Version:
MP 0.600 (hardware i assume, I think it doesn't matter alot at all)
CSC Version :)confused:):
S8530PLSJK4 (PLS looks like country/language code of mine)
some other thingys, doesn't look like important any way.

Thanks for quick reply.

Regards
 
  • Like
Reactions: adfree

adfree

Senior Member
Jun 14, 2008
10,615
6,172
Samsung Galaxy Watch 4
Samsung Galaxy S22
Thanx.

I'll try to find this Firmware in my collection or in Internet...

Now this take an while...


Generally I've short looked into mijoma template FOTA.
Only 450 Byte Code... the rest is enough space to write many things.
Over 2 MB place for exercises. :cool:

Best Regards
 

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
As far I understand the biggest problem here is walking around the boot loader Samsung protection.

Not any more :]
Now we have other problems

So, what tools do I need if I want to inject my own bin code into FOTA mechanism? Do I need to do it by modded firmware update, modifying update file from samsung? How to get this "basefile" if my Wave II soft seems to be the updated?

Let's call it firmware update, but it's actually only one file that you need to upload. You don't need a basefile provided you put the magic values exactly in the locations I described in the first post.

You start with digging out the information about the version of the bootloader. Bootloader is usually not branded, common to all operators. That version shall be important only if you are planning to use anything from the original bootloader to find addresses of the functions you are planning to call - that you need to do manually - get the bootloader file and disassemble it.

What is JTAG? Is it some kind of external machine using internal phone pins to directly interact with chipset or what?

Don't get me wrong, but JFGI rule applies as for that matter. Let me just close that with calling it 'debugging interface'.

What is Download Mode? Is it firmware update mode? Is it possible to update everything throught it (including bootloader) or just "normal" OS files?

Yes, yes, yes, as someone once said ;]

Or, in other words, I love experimenting, so please just tell me what better NOT to do and what safe-fail routines the phone does if bootloader update fails,

Well, you don't need to upgrade the bootloader, so just don't do that. In my opinion it's better not to touch phone internal non-volatile memory outside the FOTA. It's not as easy as one might think (little easier than SD support, but next to impossible to do accidentally), so no worries.

I'm conscious that it's easy to break up the handset while updating bootloader and it's possible to recover it only by external interference into flash mem, is it possible to break it by updating other (OS/kernel) files? Or in the worst way update mode is always handled by bootloader (is it?) and I need reflashing to bring back the functionality?

apart from breaking a bootloader, that would require someone with a JTAG, all the rest should be recoverable.

Best Regards,
mijoma
 

adfree

Senior Member
Jun 14, 2008
10,615
6,172
Samsung Galaxy Watch 4
Samsung Galaxy S22
@ mijoma

Maybe we could make an "workshop" for Beginners.
Only if you have time. Please.

As base I've researched in mijoma_dummyFota_XXJL2_rev_key.zip

I've played little bit around... only text change... because first attempt to add more text failed... :eek:

I've made an German Version. :D :D

Only for better understanding for me.
Question number 1.
How to add more text? It seems you have 30 Bytes (30 Chars) each line...

2.
!
Is this from Bootloader? Or you can change into ? or * or...

3.
Position of text?
Is it possible to start in upper corner? :eek:

Thanx for reading.

Best Regards

P.S.:
Attached file is tested by me. BUT it is only to have something to play/compare... at your own risk.
 

Attachments

  • dummyFota_XXJL2_rev_6.rar
    1.7 KB · Views: 36

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
mijoma, could you clarify me a doubt about the FOTA system?

I have watched the FOTA in this post: http://xdaforums.com/showpost.php?p=12635164&postcount=12
where you have posted the "upload" for for XXJEE and XXJL2.

These differ from 4 bytes on 0x...020 - 0x...160, 0x...161, 0x...162, 0x...163.

Are those "different" values coming from the original fota on those firmware or you have got info of this values from the bootloader and replaced it?

(because I want to try to make a FOTA for XEKC2 bootloader since those version do not work)

The difference between these two files is the address of the variable holding bootmode and the destination of the jump to the original code. The values come from the comparison of disassembly of both bootloader versions. The original fota is not used (I could have already used the empty one, but I just started with modification of original).
 
  • Like
Reactions: Dokugogagoji

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
@ mijoma

Maybe we could make an "workshop" for Beginners.

The problem is that it's just pure assembly. Each line is loading of the text address to R0 and execution of printf from the original bootloader. Before, display initialization is called. The point of proof-of-concept is the simplicity.


Only for better understanding for me.
Question number 1.
How to add more text? It seems you have 30 Bytes (30 Chars) each line...

The best way - rewrite a piece of code to iterate through some memory where texts should be put.


2.
!
Is this from Bootloader? Or you can change into ? or * or...

Spaces and exclamations come from original bootloader. Should be no problem to patch the image of bootloader in RAM.

3.
Position of text?
Is it possible to start in upper corner? :eek:

Sure. The code just starts with displaying 6 lines of spaces.
 
  • Like
Reactions: adfree

adfree

Senior Member
Jun 14, 2008
10,615
6,172
Samsung Galaxy Watch 4
Samsung Galaxy S22
@ nbates66

Very interesting for me. Thank you very much. :cool:

About FOTA. I've tried several thingies... It seems not possible to Log via WinComm... Hmm. I could try if Qualcomm Communication work in this mode... via QXDM.

WinComm Communication is in apps_compressed.bin...

Best Regards
 

Rebellos

Senior Recognized Developer
May 13, 2009
1,353
3,428
Gdańsk
Thanks for all replies and advices, started messing around and now i feel kinda stuck, probably missed something on forums or what.
Is it possible to dump firmware files from Wave through USB connection? Multiloader and QuB seems to have only flashing functions, with no way to download flashmem content.

Thanks in advance

PS: And basically I can upload everything except bootloader using multiloader and if I fukk something up in the worst case I have to reflash using original soft, is that right?
PS2: Well, maybe not "everything" exactly, it's probably possible to cause highly increase CPU voltage with some dangerous code.
 
Last edited:

astrotom

Senior Member
Apr 3, 2011
99
22
If you want to dump firmware files, you can do it directly using the firmware files which you can download from www.samfirmware.com. And use Trix to dump the firmware files, modify and re-upload them. If you want to get firmware files from phone, use TkFile Explorer or Stune. You can then modify files and replace them into the phone. I am attaching the required softwares.
 

Attachments

  • STune.zip
    151 KB · Views: 55
  • TkFileExplorer_2.4.zip
    232.8 KB · Views: 78
  • TriXcomplete1.rar
    4 MB · Views: 65
  • Like
Reactions: Rebellos

astrotom

Senior Member
Apr 3, 2011
99
22
@Rebellos
You can upload bootloaders too with multiloader. But its recommended that noobs don't use boot change while using multiloader. You wont brick your phone if you dont use boot change. If however you do get an error while flashing, NEVER UNPLUG YOUR PHONE from your PC. Try the flashing process again with bootfiles. Repeat this until you dont get errors while flashing. Errors are shown on the right hand side white box.
 
  • Like
Reactions: Rebellos

Rebellos

Senior Recognized Developer
May 13, 2009
1,353
3,428
Gdańsk
Thanks for all advices.

CMD_USB_DUMP
CMD_USB_DEBUG
CMD_USB_VERIFY
CMD_USB_RESET
CMD_USB_SECURITY
CMD_USB_DOWNLOAD_UNLOCK
CMD_USB_INFO
CMD_USB_SET_DBG_LVL
CMD_USB_FULLDOWNLOAD

interesting strings (commands?) that i found in bootloader code, probably useable during download mode, anyone knows how are they being send? I assume multiloader does use some of them, wondering what bootloader produces after sending him the first one.

Furthermore, bootloader supports "download mode" and "upload mode" aswell, is it different key combination or maybe it does switch from download to upload mode after receiving certain command?

Dunno if it's something new for you, probably not, but always. ;d

Ah yes, I'm analysing S8530CXJK3

@Down:
I had read it, just forgot all details.
Still i'm happy i could discover it by myself! :D
 
Last edited:

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
interesting strings (commands?) that i found in bootloader code, probably useable during download mode, anyone knows how are they being send? I assume multiloader does use some of them, wondering what bootloader produces after sending him the first one.

These are debug messages for download commands sent to BL. They are transmitted over HDLC packets. Not all commands are implemented, they are dummy and give just simple confirmation response - DUMP, ERASE_MC, READ, VER_CHECK, COPY, UNLOCK, USB_VERIFY, DOWNLOAD_UNLOCK and FULLDOWNLOAD commands do nothing.

Furthermore, bootloader supports "download mode" and "upload mode" aswell, is it different key combination or maybe it does switch from download to upload mode after receiving certain command?

Upload is entered after system crash, hw failure, etc. Generally - after some serious issue. I made a simple FOTA code jumping to the upload mode.
 

adfree

Senior Member
Jun 14, 2008
10,615
6,172
Samsung Galaxy Watch 4
Samsung Galaxy S22
Strange.

Only today I saw first time connection via Modem Port with this Upload data to PC thingie... WinComm seems not receive data...

For WinComm I know AT command AT+WINCOMM is mandatory...
Maybe Upload must also be unlocked... but how? :confused:

I'm on JE7...

Thanx.

Best Regards

Edit 1.
Interesting PDF:
http://www.armdesigner.com/xsms/html37/uploadfile/20100707120620748.pdf
 
Last edited:
  • Like
Reactions: t0mm13b

kakashibg

Senior Member
Mar 20, 2011
68
13
Bắc Giang
mijoma, along with Oleg_k you are working to complete the project for the bada and android research to launch the s8500 by mode FOTA? would like to ask what progress?
ps: sorry for the stupid question of my little
I use google translate
 

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
mijoma, along with Oleg_k you are working to complete the project for the bada and android research to launch the s8500 by mode FOTA? would like to ask what progress?
ps: sorry for the stupid question of my little
I use google translate

Quite honestly, I haven't got enough time for this. I've done attempts to mount the SD through FOTA, but with little success. It's not that hard, but seems I'm missing some detail.

As for the Android porting project I extracted some LCD handling code and made some modifications to SGS bootloader to match the GPIO in Wave, but that's all.

In the first post of the thread I've already stated I hope somebody can take if from here. The method is served on a plate - has almost no limitations - full memory and devices access, original BL loaded in DRAM (may think about patching). All you need is to write some pieces of the code and test that. What I don't get is how Samsung Jet community gathered bright enough guys to do all that stuff and Wave owners wait for somebody else do that job for them offering donations for everybody asking, even without the skills. You won't ever finish your porting projects if you're planning to base them on 2-3 guys. Better find yourselves some reverse engineers and developers.

I've helped as I could and I'm already reaching my time limit for next several months.
 

aLexzkter

Senior Member
Sep 21, 2010
656
177
So...yeah. We can forget about the port for now :/

No one has showed any interest in Samsung Wave, until three or four guys showed up...but that was obviously not enough...

We should find some American reverse engineers (there are lots of them over the XDA community) although none of them has paid any attention to us so far (as a consequence of no Waves being sold in America)

In my opinion, we could come to an agreement with the XDA staff...they could pin the Android to Wave port thread on the main page and make an engineers call for the Wave as a request from us on the main page . We have to sort this out in anyway and we open to ideas...

What do you guys think about it?
 
  • Like
Reactions: cinimini

badelemental

Senior Member
Jan 4, 2011
961
170
Bangalore
If mijoma is quitting, then nothing can be done.At this rate may be oleg_k might loose his interest in the project too . Just praying that this project could be completed successfully otherwise I am going to sell my wave on ebay and will get a android phone..
 

Top Liked Posts

  • There are no posts matching your filters.
  • 22
    Hi everyone,

    Many people have complained about the Wave bootloader being closed and that being major problem for the development of alternative OS.

    I had a closer look at the booting process and would like to contribute my observations to the community. I shall have little time (next to none) to work on it further, so I'd like someone to take it from this point.

    OK, that said I can introduce you to what I found:
    The booting process starts with initialization of the hardware, interrupts, etc. and gets to the selection of the booting mode. This is the place that checks the key combination, JIG and possible problems. Basing on this the bootloader will run the phone in either normal boot mode, go to dowload or upload mode.

    Normal boot shall start with checking the FOTA module. If you already tried flashing your phone you probably noticed that some versions of the FW include a file with *.fota extension. The file is unencrypted and not signed. It's about 2MB, but the bootloader reserves exactly 3MB for it. FOTA is intended to be used for firmware update over the air, but I know nothing about it being used for Wave. You may read something about the design and get a concept of that process here:
    http://www.freepatentsonline.com/pdfb/documents/usapp/patent_pdf/2010/017/US20100175062/pdf/US20100175062.pdf
    Basically, it is possible that boot would need to perform some actions that are a result of FOTA. Therefore, during the normal boot it reads the FOTA module from the NAND (0xC600000) and checks whether the module exists and is in the right version. That is done by checking a magic (text "FOTA_ENGINE_VER_INFO_2.0") under the 0xC600100. If it is found missing or incorrect you will end up with the message "FOTA Engine is not intalled" or "FOTA Engine version mismatch" on the screen and you will need to restart your phone in the download mode to load it.
    After that, the code checks for additional magic values at 0xC880000. In case it is "BPDZ" it jumps to the code in the FOTA file. The contents of the file is loaded to RAM location 0x43800000 and executed from there.

    I've made an experiment as a proof-of-concept and have a confirmed that the above is true and valid information. I crafted a FOTA file longer that the usual attached (to be bigger than 2,5 MB). In case you want to repeat that, remember that last 1024 bytes are not loaded and insert additional data before that. My file had two magic values:
    "FOTA_ENGINE_VER_INFO_2.0" at 0x100 offset and "BPDZ" at 0x280000. At offset 0 I've placed my code that started with several NOPs (just in case) and code that called original bootloader functions to display text on the screen.
    After loading the file with Multiloader, the message appeared on the screen as expected. Reloading of the original FOTA file made the phone boot normally.

    The discovery opens wide area of possibilities starting with replacing bootloader without signing it or using JTAG, multiboot, etc.
    As the original bootloader is in the memory as well, we can use it, but I would not recommend that approach as we would need additional version control and changing original routines and data addresses for each version.

    OK. I hope I made it clear enough to understand, but I can clarify what I might have omitted in the description. The idea is that someone here would pick that up from where I finished and develop a decent loader leaving the original files (apart from FOTA) untouched.

    Best Regards,
    mijoma


    -----------------------------------
    Edit: Added proof-of-concept FOTA file (based on XXJL2 FOTA). Use wisely - remember you take full responsibility for what you load on your phone. Works ONLY with XXJL2 bootloader.
    10
    Thanks guys, but I don't think it's necessary.
    I do it for fun - don't need any other gratification. Wave got me interested with the effort the manufacturer put trying to keep it closed. I don't need a handset to disassemble the bootloader.
    9
    mijoma, along with Oleg_k you are working to complete the project for the bada and android research to launch the s8500 by mode FOTA? would like to ask what progress?
    ps: sorry for the stupid question of my little
    I use google translate

    Quite honestly, I haven't got enough time for this. I've done attempts to mount the SD through FOTA, but with little success. It's not that hard, but seems I'm missing some detail.

    As for the Android porting project I extracted some LCD handling code and made some modifications to SGS bootloader to match the GPIO in Wave, but that's all.

    In the first post of the thread I've already stated I hope somebody can take if from here. The method is served on a plate - has almost no limitations - full memory and devices access, original BL loaded in DRAM (may think about patching). All you need is to write some pieces of the code and test that. What I don't get is how Samsung Jet community gathered bright enough guys to do all that stuff and Wave owners wait for somebody else do that job for them offering donations for everybody asking, even without the skills. You won't ever finish your porting projects if you're planning to base them on 2-3 guys. Better find yourselves some reverse engineers and developers.

    I've helped as I could and I'm already reaching my time limit for next several months.
    9
    Then, obviously i did something wrong, done manual single-byte conversion, works well too. :)

    Mwahahah!
    Sorry if my code looks like cow's ****, it's my first own asm code. :D

    Remember to include proper addresses and modify multiloader header if you want to test it on S8500.

    //edit:
    Okay, any1 wanted to do real file explorer and manager for Wave? Touchscreen handling and some ops left todo. :D

    //edit2:
    SD Card doesn't seem to be mounted by default, so a year of struggles ahead!
    9
    After a week of research I found it!
    We haven't loaded PBL as we thought it is unnecessary. But it has got very important role. It does complete reinitialization of DDR controller MPC0, mapping chip0 to 0x30 address space (by default it is under 0x20) and chip1 under 0x40 (it does some kind of switching, because before that chip1 is being controlled by MPC1 as chip0)

    For now I've copied parts of PBL code to FOTA, now waiting for Serg to do some tests. Of course I'd be very surprised if that would be enough to boot kernel, but we're closer for sure!