Okay, if I'm right wouldn't this exploit apply to every current HTC Android device?
Well yes and no. The principal idea should work everywhere. However, the address of the secu_flag in non-volatile memory will probably vary. And you'll have to build separate kernels for devices with different CPUs.
I couldn't find reliable information about the kernel's base address by grepping for it. If I understand the kernel source correctly, it expects base address of zero for devices without an MMU. Remember we built the kernel for the MSM7201 processor, as MSM7227 is not directly supported. Supported are MSM7201 and MSM7230 and we decided to go with the older chipset as we expected the chip to be backwards-, rather than forwards-compatible. Now I've selected "MMU support" during kernel configuration, but the only "MMU type" that can be selected for the MSM7201 is called "---", which to me sounds much like a "placeholder".
So I've built a kernel with base address zero. When I boot it, the phone will vibrate one time while booting the kernel, then it will vibrate again, indicating it is rebooting. After vibrating for the second time, the stock firmware (so in my case CM7.2) will boot.
Then I've built a kernel with base address 0x12c00000, which all the other kernels (Alquez' kernel, the kernel that comes with CWM recovery, etc.) seem to use. It will lock up with a white screen.
When I don't supply a "--base" parameter, it seems to default to 0x10000000, but as you know this will also lock the device up with a white screen.
The most fundamental problem is that I'm currently not 100 % sure whether the base address is a characteristic that is
device dependant or rather a characteristic that is
kernel dependant. So is it right to say "it must be the same address as with all the other kernels for the WFS no matter on which Linux version they are based" or is it rather "it must be the same address as with all the Linux 3.2.5 kernels no matter on which device they run"?
I think it's rather the latter. If I understand correctly, the information is stored in the header of the kernel image and HBOOT reads it and then loads the kernel into the RAM address that's supplied. So HBOOT is the part that's "flexible" and adapts to the kernel. And the kernel is the part that is "inflexible" and only supports being run from exactly one RAM address. So HBOOT loads the kernel whereever the kernel requires it. Now the question is, how to find out where Linux 3.2.5 wants to be loaded?