[DEV] FBOOT - FOTA bootloader

Search This thread
By:
Advanced…
M

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
Hello

I treat this thread as DEVELOPMENT focused, so please keep non-technical questions and all the excitement aside and use it strictly for the technical discussion.


As most of you have been able to witness, FOTA seems the right track for bypassing bada bootloader security.
During the Android porting we have found ourselves in the situation where we developed a fairly simple asm code for the purpose of loading and booting Android.
A successful attempt has some important limitations, though. One major is strict dependency from the bada bootloader level 3 (BL3) that we used to interact with the hardware for us and provide filesystem abstraction. I feel that main reason for that happening was coming directly from what was the biggest advantage in the beginning - simplicity of building crafted FOTA module from asm.
Since the time I've made the discovery of the FOTA vulnerability (as described initially here) and after I provided sample framework for building crafted FOTA file for fasmarm (see here) only b.kubica and Rebellos took over and made it into the FOTA booting Android. That approach required installing specific bootloader version in the phone and used patched I9000 secondary bootloader (SBL), as we needed it to correctly initialize the display for the kernel.
The first attempt to make it more universal was proposed, but it still only introduced additional abstraction layer for BL3 calls and was using the very same assembler framework.

I'd like to change something again and therefore, I've scratched a new framework for building FOTA. This time, it is using a proper gcc toolchain and quickly jumps a level higher in abstraction - into C/C++ code. Linker scripts provide abstraction for building the right FOTA file headers and footers for:
- S8500 running bada 1.x
- S8500 running bada 2.x
- S8530 running bada 1.x
- S8530 running bada 2.x
All four targets are built from same source files with a single 'make'. I tested all that by writing FLOCK (that still is BL3 dependent but written in C).
In my opinion, it should allow us to get into development of the modules handling hardware, filesystem, etc. by ourselves (or simply building that from external source codes handling that) resulting in full independence from version of the bootloader installed.

Now we get to the right question - do you have suggestions as for what opensource bootloader project we should integrate into FOTA? I've done a proof-of-concept integration of u-boot and it compiles flawlessly (of course, getting it to run is whole other story as there's lots of low-level initialization procedures to be rewritten). Please answer with some supporting arguments as it's not voting and would prefer a discussion and picking the right solution.
The second thing - is there anybody with the know-how and interest in this development? I'd like to share the code and support it only in some spare time, so it would be perfect if somebody took it over.

Again, please keep this thread clean - strictly technical discussion here.

Regards,
mijoma
 
  • Like
Reactions: mailuxter, dukedusty, Dev. and 11 others
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
b.kubica has awesome demonstrate with bTerm and unsecdload.fota:
- dump NAND for Backup or study...
- bypass apps_compressed.bin Integrety check. :cool: :cool:

It would be nice, if this could be combined and/or port for S8530 too.
I wished I could dump with bTerm also in bada 2.0.

I saw only Rebellos did something with bTerm...

Also I miss Upload to...
http://xdaforums.com/showthread.php?t=1176189

:eek:

Thanx in advance.

Best Regards
 
R

Rebellos

Senior Recognized Developer
May 13, 2009
1,353
3,428
Gdańsk
One of the logical alternatives for uBoot is Qi from OpenMoko, it is much more simple, but that brings more limitations. And I haven't seen S5PC110 support in there. So some S3C cpu driver would need to be updated.
http://wiki.openmoko.org/wiki/Qi

Also leaked Loke for Spica could be used - it has got also S3C drivers (S5P~~is only abit updated S3C arch) already done for S3C64xx, so the cpu-driver the same as above.

Writing bootloader from scratch is rather pointless and I'd anyway use uBoot for that project - there already exists fully working sources for Odroid, that is Hummingbird based. But not much more we can do than hope some dev suddenly pop out of nowhere and join the project.
 
  • Like
Reactions: lbyao, Tigrouzen, mylove90 and 2 others
M

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
OK.
It's been a while and there has not been any activity around.
My time availability is completely not there as well. The least I can do is to upload something I had started months ago and never continued.
Maybe somebody experimenting with FOTA can use it at some point, maybe not.

In the attachment there's a project to be built using gcc toolchain (I used the one from bada SDK). It's rather simple but it already implements some of the lowest level stuff so the entry point is in C already and produces all 4 platforms (S8500 bada 1.x, S8500 bada 2.x, S8530 bada 1.x, S8530 bada 2.x) in one go.

I don't say it's an easy go from now, but you can use it however you wish and I hope it may be of some help at some point.

Best Regards,
mijoma
 

Attachments

  • fboot.zip
    13 KB · Views: 766
  • Like
Reactions: adfree, _hacker_, not_joker and 10 others
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
Please.

Maybe mijoma or Rebellos could answer.

1.
Oleg_K replaced bada boot_loader.mbn in OneNAND...

If correct, how he was able to use other Boot? :confused:

I was never able to write Original Boot of my own choice with RIFF (JTAG)...

2.
As test device for Bootloader action I think S8000 Jet is perfect...
- cheap on Ebay...
- "similar" to S8500 but much less secured...

Maybe if Devs have S8000 for training...
Maybe this could little bit increase progress... about Bootloader functions... and or MODEM AMSS...

3.
It seems with CMM Script and JTAG (100% confirmed) it is possible to disable some of Bootloader Security... also few Commands (idea)... maybe...
Code: 
UnlockSecBoot
PrtSecBoot
http://xdaforums.com/showpost.php?p=32611984&postcount=59

Maybe with FOTA it is possible to disable complete Boot Security and then remove/replace Boot by something else...

In my case I "need" XXJB6 bada complete... So XXJB6 Boot one day on my S8500 would be nice to see... :angel:

Best Regards
 
M

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
adfree said:
1.
Oleg_K replaced bada boot_loader.mbn in OneNAND...

If correct, how he was able to use other Boot? :confused:

I was never able to write Original Boot of my own choice with RIFF (JTAG)...
Click to expand...
Click to collapse

It is possible to replace the whole bootloader chain. Rebellos looked at the options and it comes out that depending on the data in the iRAM each bootloader stage will perform or not a verification of the next bootloader stage.
The bootloader that is used by Unbrickable Mod for our processor (used by Odroid project originally) is braking the chain of trust and this is the possibility to write whatever.

adfree said:
2.
As test device for Bootloader action I think S8000 Jet is perfect...
- cheap on Ebay...
- "similar" to S8500 but much less secured...

Maybe if Devs have S8000 for training...
Maybe this could little bit increase progress... about Bootloader functions... and or MODEM AMSS...
Click to expand...
Click to collapse

You should forget about S8000. It helps us in no way and there's no compatibility between the devices.

adfree said:
3.
It seems with CMM Script and JTAG (100% confirmed) it is possible to disable some of Bootloader Security... also few Commands (idea)... maybe...
Code: 
UnlockSecBoot
PrtSecBoot
http://xdaforums.com/showpost.php?p=32611984&postcount=59

Maybe with FOTA it is possible to disable complete Boot Security and then remove/replace Boot by something else...

In my case I "need" XXJB6 bada complete... So XXJB6 Boot one day on my S8500 would be nice to see... :angel:
Click to expand...
Click to collapse

It is possible to disable security with JTAG but work will focus on the development platform that does not require JTAG. It will most probably allow using other bootloaders, but XXJB6 is nothing really special. I would rather like to see something (u-boot based possibly) being able to flash bada and android to OneNAND (not moviNAND as current) and run both without the security
Rebellos checked the partition map and it may be even possible to fit both systems into OneNAND if there wouldn't be FOTA installed.

FOTA may be used at the beginning of the process as there's no better place to start with diagnostics, modifications to memory, flashing of unsecure components and so.
 
  • Like
Reactions: adfree
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
S8600XXKL1_S8600OXCKL3_TPH
S8600JVKK4_S8600XFVKK1_XFV
S8600DXLD1_S8600OLBKK6_XXV
S8600DXLD1_S8600OLBKK6_XME
S8600JVKK4_S8600OJVKK2_XFE
S8600DXKK6_S8600OLBKK6_XSP
S8600DXLD1_S8600OLBKK6_XEV
S8600DXLD1_S8600OLBKK6_XTC
S8600XXKK7_S8600OXEKL1_VHC
S8600XXLD1_S8600OXDLD2_XSK
S8600XXLD1_S8600OXDLD2_XEH
S8600XXLA1_S8600OXDLA1_VDC
S8600BOKK6_S8600TMZKK6_TMZ
S8600JPLB1_S8600OJPLB1_TMC
S8600DXLD1_S8600OLBKK6_THL
S8600XXLD1_S8600OXDLD2_XEZ
S8600JPKL1_S8600OJPKK3_AFG
S8600XXKK7_S8600OXFKL1_SEB
S8600XXLD1_S8600OXELD1_SKZ
S8600XXKK7_S8600OXEKK5_SEK
S8600XXKK7_S8600OXCKK1_PHE
S8600JPLD1_S8600OJPLB1_THR
S8600XXLD1_S8600OXELD1_MTS
S8600AELE1_S8600SFRLE1_SFR
S8600XXKK7_S8600OXFKK7_MTL
S8600JPKL1_S8600OJPKK3_PAK
S8600JPLD1_S8600OJPLB1_MWD
S8600XXLC3_S8600PRTLC4_PRT
S8600XXLA1_S8600OXBLA1_NEE
S8600JPLA1_S8600OJPKK3_MID
S8600JPKL1_S8600OJPKK3_JED
S8600JPKL1_S8600OJPKK3_KSA
S8600FRLE1_S8600LPMLE1_LPM
S8600XXLD1_S8600OXELD1_KCL
S8600XXLD1_S8600ITVLD2_ITV
S8600BVLD2_S8600FTMLD2_FTM
S8600JPKL1_S8600OJPKK3_BTC
S8600JPKL1_S8600OJPKK3_EGY
S8600JVKK4_S8600OJVKK2_AFR
S8600XWLD2_S8600OXGLD1_ATO
S8600JPKL1_S8600OJPKK3_ABS
S8600NAKL1_S8600EPLKL1_EPL
S8600XXLC3_S8600OXFLD1_COA
S8600XWLD2_S8600OXGLD1_BSE

Maybe luck and ELF files in 1 package...

Best Regards
 
  • Like
Reactions: Taxidriver05
H

hero355

Senior Member
Dec 10, 2011
1,674
1,882
Baku
ELF can be only Operator firmwares (If it has).Because mostly it is been on operator firmwares

If I have enough space on HDD,I'll check all :)
 
Last edited:
  • Like
Reactions: adfree
H

_hacker_

Member
Jan 3, 2013
33
59
how to flash?

hi, i dont get it how to flash android onto wave 1. And i cant find a download link :confused: Can anyone help me? I downloaded Odin but I cant do anything with it. Can anyone write a short tutorial for that? Sorry, i gave up already to find it out myself.
Thanks,
hacker
 
  • Like
Reactions: Tigrouzen
H

hero355

Senior Member
Dec 10, 2011
1,674
1,882
Baku
Theory! If we change in 575's bootfiles phone model to 525 then you'll chance
But :D You'll brick your handset
 
B

By_KeReMM

Member
Feb 26, 2012
19
1
Kocaeli
adfree said:
@ By_KeReMM

Check this out:
http://xdaforums.com/showthread.php?t=1325713

Maybe search Internet for existing ELF files for Broadcom...


Maybe this help...

Best Regards
Click to expand...
Click to collapse

i dont understand but i checked this.

is 7230 and 7230E same phones? 2 links not work "No Torrents Found".

if port boot files and apps_c... , i Ported all fw files. i'll test it. all files work! but apps_c... not extract



Sorry , Bad English.
 
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
10 years later... :eek:

After reading little bit... and after Editing 2 files...
I was able to compile demo sources... :good:
http://xdaforums.com/showpost.php?p=34856402&postcount=4

make.cmd and Makefile

Edited to correct path to my installed bada SDK.

So it is easy...
1 click compiling... after start make.cmd.

Now I play little bit...

Thank you mijoma.

Best Regards

---------- Post added at 02:11 AM ---------- Previous post was at 01:46 AM ----------

Lesson 1.1

Inspired by Tigrouzen nandbootsd.fota ASCII Pic... :good:
Thanx.


Open with Text Editor
FOTA.c

Code: 
   [B]disp_FOTA_Printf[/B]("| Author:     mijoma         |");

Now you can try text or ASCII Pics... :D

Later I will write how many lines max. possible...

Best Regards

---------- Post added at 02:36 AM ---------- Previous post was at 02:11 AM ----------
Code: 
#include <string.h>
#include <stdarg.h>
#include "BL3.h"

int main(void)
{
   
   //here we start the real deal :)
   int mmuctrl = MemMMUCacheEnable(gMMUL1PageTable, 1);
   disp_FOTA_[B]Init[/B]();
   disp_FOTA_Printf("*----------------------------*");
   disp_FOTA_Printf("|      FOTA TESTLOADER       |");
   disp_FOTA_Printf("*----------------------------*");
   disp_FOTA_Printf("| Author:     mijoma         |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("|                            |");
   disp_FOTA_Printf("*----------------------------*");
   disp_FOTA_Printf("");
      
   //.... Your code here...
   
   //loop infinitevely
   while(1);
   
   return 0;

}

Here you can see maximal visible lines for output of text...
I can count 24 lines... tested on S8500.

Best Regards

P.S.:

IMPORTANT!!!
Remember if you play with BOOT or FOTA or whatever on your handset...
ALL at YOUR own risk!

Edit 1.

It seems each line can have 30 Characters...
So 30 x 24 = 720 :D
 
Last edited:
  • Like
Reactions: mirhl
I

ihavenick

Senior Member
Jan 28, 2013
81
24
36
adfree said:
Yes, I can see text Output on my S8500 (XXLA1). :good:
Later I will try if S8530 also would work...

No idea... is M210S confirmed meanwhile ? Not sure if S8530 FOTA would work in M210S Firmware...
I could later try with S8500... and M210S Firmware...

Best Regards
Click to expand...
Click to collapse

Truely its mine "ascii" in fota and we made it (With T) in .asm and Fasm compiler but i cant get working this.I tested this no output no boot but it can boot only bada :D . Mine bootloader is kk5
 
Last edited:
  • Like
Reactions: adfree
You must log in or register to reply here.

Similar threads

O
  • Locked
[DEV] The project to port Android(froyo) on S8500 (8530)
Replies
1K
Views
871K
smokestack76
smokestack76
R
FOTA to boot ARMLinux under S8500XPKJ1 (Bada 2.0)
Replies
151
Views
41K
A
alejandroelmej
Tigrouzen
  • Locked
Closed For Maintenance
Replies
2K
Views
383K
mark manning
mark manning
K
REQUEST - Bootloader and fota for S8600 wave 3 Badadroid
Replies
46
Views
28K
zitronenmelissa
zitronenmelissa
B
[FBOOT][MULTIROM] FOTA -Noob edition
Replies
43
Views
19K
M
mijoma

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 14
    M
    mijoma
    Hello

    I treat this thread as DEVELOPMENT focused, so please keep non-technical questions and all the excitement aside and use it strictly for the technical discussion.


    As most of you have been able to witness, FOTA seems the right track for bypassing bada bootloader security.
    During the Android porting we have found ourselves in the situation where we developed a fairly simple asm code for the purpose of loading and booting Android.
    A successful attempt has some important limitations, though. One major is strict dependency from the bada bootloader level 3 (BL3) that we used to interact with the hardware for us and provide filesystem abstraction. I feel that main reason for that happening was coming directly from what was the biggest advantage in the beginning - simplicity of building crafted FOTA module from asm.
    Since the time I've made the discovery of the FOTA vulnerability (as described initially here) and after I provided sample framework for building crafted FOTA file for fasmarm (see here) only b.kubica and Rebellos took over and made it into the FOTA booting Android. That approach required installing specific bootloader version in the phone and used patched I9000 secondary bootloader (SBL), as we needed it to correctly initialize the display for the kernel.
    The first attempt to make it more universal was proposed, but it still only introduced additional abstraction layer for BL3 calls and was using the very same assembler framework.

    I'd like to change something again and therefore, I've scratched a new framework for building FOTA. This time, it is using a proper gcc toolchain and quickly jumps a level higher in abstraction - into C/C++ code. Linker scripts provide abstraction for building the right FOTA file headers and footers for:
    - S8500 running bada 1.x
    - S8500 running bada 2.x
    - S8530 running bada 1.x
    - S8530 running bada 2.x
    All four targets are built from same source files with a single 'make'. I tested all that by writing FLOCK (that still is BL3 dependent but written in C).
    In my opinion, it should allow us to get into development of the modules handling hardware, filesystem, etc. by ourselves (or simply building that from external source codes handling that) resulting in full independence from version of the bootloader installed.

    Now we get to the right question - do you have suggestions as for what opensource bootloader project we should integrate into FOTA? I've done a proof-of-concept integration of u-boot and it compiles flawlessly (of course, getting it to run is whole other story as there's lots of low-level initialization procedures to be rewritten). Please answer with some supporting arguments as it's not voting and would prefer a discussion and picking the right solution.
    The second thing - is there anybody with the know-how and interest in this development? I'd like to share the code and support it only in some spare time, so it would be perfect if somebody took it over.

    Again, please keep this thread clean - strictly technical discussion here.

    Regards,
    mijoma
    View
    13
    M
    mijoma
    OK.
    It's been a while and there has not been any activity around.
    My time availability is completely not there as well. The least I can do is to upload something I had started months ago and never continued.
    Maybe somebody experimenting with FOTA can use it at some point, maybe not.

    In the attachment there's a project to be built using gcc toolchain (I used the one from bada SDK). It's rather simple but it already implements some of the lowest level stuff so the entry point is in C already and produces all 4 platforms (S8500 bada 1.x, S8500 bada 2.x, S8530 bada 1.x, S8530 bada 2.x) in one go.

    I don't say it's an easy go from now, but you can use it however you wish and I hope it may be of some help at some point.

    Best Regards,
    mijoma
    View
    5
    R
    Rebellos
    One of the logical alternatives for uBoot is Qi from OpenMoko, it is much more simple, but that brings more limitations. And I haven't seen S5PC110 support in there. So some S3C cpu driver would need to be updated.
    http://wiki.openmoko.org/wiki/Qi

    Also leaked Loke for Spica could be used - it has got also S3C drivers (S5P~~is only abit updated S3C arch) already done for S3C64xx, so the cpu-driver the same as above.

    Writing bootloader from scratch is rather pointless and I'd anyway use uBoot for that project - there already exists fully working sources for Odroid, that is Hummingbird based. But not much more we can do than hope some dev suddenly pop out of nowhere and join the project.
    View
    5
    M
    mijoma
    ihavenick said:
    do anyone know how to get varible for fboot?

    _PfsMassInit equ 0x420A9978 for asm
    unsigned long c___PfsNandInit[] = { 0xa5fef2be, 0 }; for fboot

    then we need

    MemoryCardMount equ 0x420AA4D8 this to for Fboot
    Click to expand...
    Click to collapse

    Here you go! It's to be used with decrypted bootloader file
    You can find that code in the FBOOT.
    At some point I found function checksums (or something between what appears to be an estimate where function starts and ends) more reliable than bootloader versions as there are different compilations of the same bootloader source under the different versions.
    View
    3
    R
    Rebellos
    adfree said:
    All I know is study ELF files from Bootfiles folder... there have some maps...
    BL3_univ.map

    You can find here and in ELF text string...
    PfsMassInit

    This is all I know, SORRY.
    Also I have no time yet for deeper reseach in this...
    This exceeds my knowledge and skills. :eek:


    My next pactice tests are... investigation in ELF...
    Code: 
    fboot/Obj/FBOOT_S8500_b2x.elf

    If these are valid files for JTAG RIFF to upload as
    d.load.elf...

    Second idea...
    Need more brain for compiling ELF... especially BL3_univ_s.elf with bada SDK...
    DREAM, because no idea how... :eek:

    Last idea... need find valid path to Download zImage from OneNAND...

    Best Regards

    Edit 1.
    For my JTAG test... with FBOOT_S8500_b2x.elf
    Code: 
    Found valid ELF at pos:00000000
------------------
Type : 0002
Machine : 0028
Version : 00000001
[B]Entry : 43200210[/B]
Arch flags : 05000002
Hdr size : 00000034
ProgHdr offset : 00000034
ProgHdr size : 00000020
ProgHdr entries : 00000003
SectHdr offset : 000104B0
SectHdr size : 00000028
SectHdr entries : 0000000C
SectNameStrings : 00000009

ProgHdr:
--------
Type:0x00000001 Offset:0x00008000 VAddr:0x43200000 PAddr:0x43200000 Filesize:0x00000F78 Memsize:0x00000F78 Flags:0x00000007 Addralign:0x00008000
Type:0x00000001 Offset:0x00010000 VAddr:0x43480000 PAddr:0x43480000 Filesize:0x00000410 Memsize:0x00000410 Flags:0x00000005 Addralign:0x00008000
Type:0x00000001 Offset:0x00018000 VAddr:0x44000000 PAddr:0x44000000 Filesize:0x00000000 Memsize:0x00004018 Flags:0x00000006 Addralign:0x00008000

    Later more

    Edit 2.
    JTAG RIFF Box can upload this ELF... :D

    So now (for me) I need to know how to compile Binary from ELF... if possible with bada SDK

    Thanx in advance.
    Click to expand...
    Click to collapse

    objcopy -S -O binary input.elf ouput.bin
    It does STRIP elf file into raw binary.
    View

New posts