[ABANDONED] Bootloader unlock - discuss bootloader matters here

Search This thread
By:
Advanced…
E

eiyee

Member
Jan 29, 2012
20
34
Utopia
YaPeL said:
Not that I can help, but, in which wiki? I wanted to take a look at that script but I can't find it anywhere :/
Click to expand...
Click to collapse

You can find it in the droid-developers.org wiki on page How_to_load_mbmloader_from_SD_card, code is called omapusbboot.

The wiki is highly recommended, btw!! An excellent source of high quality information.

Most information is relevant to our Defy as the mechanism are very similar if not identical across all locked Motorola OMAP3xxx based devices AFAICT. Our root key is identical to that of Milestone2. So we share a common cause with the Milestone/Droid/etc. hackers. :)

I collected some basic Defy info there, too. Nothing new, just putting information in one place. Corrections/additions welcome!
 
  • Like
Reactions: brajesh.sharma87 and vap_66
hackergnome

hackergnome

Senior Member
Apr 21, 2011
2,613
875
Bengaluru
eiyee said:
You can find it in the droid-developers.org wiki on page How_to_load_mbmloader_from_SD_card, code is called omapusbboot.

The wiki is highly recommended, btw!! An excellent source of high quality information.

Most information is relevant to our Defy as the mechanism are very similar if not identical across all locked Motorola OMAP3xxx based devices AFAICT. Our root key is identical to that of Milestone2. So we share a common cause with the Milestone/Droid/etc. hackers. :)

I collected some basic Defy info there, too. Nothing new, just putting information in one place. Corrections/additions welcome!
Click to expand...
Click to collapse

I once asked about loading bootloader from SD but got an answer that it was disabled on the board by moto(or something similar)

Sent from my MB525 using xda premium
 
Tim_Pan

Tim_Pan

Senior Member
Aug 20, 2011
191
138
GuangZhou
unrafa said:
that was right thanks,

I found something interesting , a chinese user with a bricked phone and all he can get with rsdlite is "blank omap3630" withouy any insmod module

http://bbs.dospy.com/thread-13738650-1-404-9.html

transtation is this:

<<<now with 60% the battery, first plug the USB cable, and then press and hold the volume up key, then press and hold the power button, and then put the battery, hear the <<<computer buzz ring tone usb devices inserted, wait a minute, and RSD there is reaction of the At this point, and RSD Display: Type: Blank, OMAP3630, open brush, Failed <<<flashing process.Failed flashing process. Phone [0000]: the Error sending TI ROM, the data packet request. the Device API Error: 0xE0030097 (0xE0031097): phone <<<disconnected.

The post finish with this:

<<<"The last one, I found that I defy the BL may be unlocked. Because I see with RSD SE FLASH the OMAP 3630"

The "SE" in "SE Flash" means secure engineering. In the past, this type of hardware would allow non-signed builds be flashed. However, I'm not sure this is the case with Android devices.


But the guy still have his phone bricked it seems
Click to expand...
Click to collapse

I read it and the fact is the guy bricked his phone then sent it to js but he said he knew little about BL so i think he didnt know the board has been changed...
 
Last edited:
K

Kaffeekranz

Senior Member
Dec 29, 2010
240
128
Anyone with Flash 1.6 installed tried to use TI's usb drivers instead of Moto's while trying peripheral boot? The inf's got entries for the omap3630, the vendor ids also are correct, but it gives me an error (no x64 drivers, not compatible, blah) when I'm trying to install them on a x64 system.
Could be necessary to use those when using the Flash tool.
 
free2live

free2live

Senior Member
Jun 2, 2010
579
148
Around the corner
Kaffeekranz said:
Anyone with Flash 1.6 installed tried to use TI's usb drivers instead of Moto's while trying peripheral boot? The inf's got entries for the omap3630, the vendor ids also are correct, but it gives me an error (no x64 drivers, not compatible, blah) when I'm trying to install them on a x64 system.
Could be necessary to use those when using the Flash tool.
Click to expand...
Click to collapse

I'll give it a try on 32 bit system, but what will we do with that without having a bootloader to flash.

Sent from my MB525 using xda premium
 
E

eiyee

Member
Jan 29, 2012
20
34
Utopia
I am trying to find out if the eFuse reset is plausible, or if there is another explanation for the chinese eng phones.

If you look at this TI patent PDF linked on http://www.freepatentsonline.com/8112618.html, there is a very detailed description of how eFuses can be set in different steps of the production process (and other good info on boot validation!). It refers to a (much) older OMAP161x but I assume it has not changed significantly for new devices.

The document describes several initial eFuse settings ("embodiments") to suit different production processes and models. Devices can be produced in such a way that they are initially GP (no security) or initially HS (high security). In some embodiments the device type cannot be changed later, in others it can be changed by blowing efuses. There are many variations - read there for all the details.

The description suggests that some devices could leave the factory with different initial eFuse settings - maybe by intention because they are produced for a specific customer/market, maybe due to production mistake or simply because their security component is defective but they don't want to trash the devices.

About GP vs. HS mode, based on the reported omapinfo outputs I think we can conclude that all Defys are in HS mode, even the chinese unlocked eng phones and Otto.BR's eng phone (right? STATE=205). This is consistent with appearing as "SE Flash" (Secure + Engineering?). Looks like we can exclude GP mode devices, they don't seem to exist for Defy.

About engineering mode, to recap, the Motorola bootloaders (mbmloader, mbm) check the PROD and ENG fuse settings to determine if the phone should start in engineering mode, bypassing the normal security checks. Normal Defys consistenly have both PROD and ENG fuses set (=locked) whereas chinese eng phones have only ENG fuse set (=engineering).

Now, finally (this is getting long, sorry ;)) I see two possible explanations of how the chinese phones were turned into engineering mode:

- The ENG phones were normal locked devices before they went to service, then came back with eFuses reset. This would prove that some way exists to reset eFuses and that we can dig deeper into what the service did and how. That would be great news but we have no confirmation that this is the case.

- The chinese ENG phones are from a special batch of production with originally all-zero eFuses, maybe for special customer/market or by accident. Since they would have all zero eFuses, they can be turned into ENG phones by blowing the single eFuse bit. This would be bad news as glycosis noted as we can't "unblow" eFuses.

So how can we find out?

If the unlock process is reproducible, i.e. if it is possible for someone to decide to go to Motorola service and have a good chance of phone getting unlocked, he/she could dump SWRV (ideally all of sec.ko output plus full dump of internal mmcblk) just before going to service, then again just after coming from service. The values of SWRV before/after should allow us to tell if eFuse reset is plausible or not.

Perhaps is there a chinese speaker here who could help and ask on mfunz if someone would be willing to dump, get unlock, dump again and share the dumps?
 
  • Like
Reactions: Kayant, nathrinder, carlosm182 and 10 others
G

GodSlayer

Senior Member
Jun 23, 2011
276
73
There is one thing I noticed about Motorola Unlocked phones.
All phones which were unlocked, use fastboot as a flash method, Not only RSD Lite.
Our phone doesn't. Maybe that means something?
 
K

Kaffeekranz

Senior Member
Dec 29, 2010
240
128
Kayant said:
http://xdaforums.com/showthread.php?t=1522226
Might this help?
Click to expand...
Click to collapse

As far as I understand the whole thing:
Nope, since they're exploiting a loophole in their uboot, whereas we're blessed with Motorola's mbmloader.

Still, there are some interesting things to be found:

http://www.ti.com/lit/ug/spruhc3/spruhc3.pdf

2.6
All HS devices can be run in NONSECURE mode after initially booting in SECURE
mode using this sequence. (..)

If running in secure mode, with the secure kernel active, you can request a override to
non-secure mode by using the SK_switchNonSec() API call. See the Secure Kernel Users
Guide for more information on the secure kernel APIs

http://omappedia.org/wiki/Bootloader_Project#Building_Xloader_for_EMU
mshield-dk?

But, as I've mentioned a hundred times already, I'm collecting information, but haven't got a clue what it's all about.
And at least the guys on Motorola's bootloader boards seem to be polite:

hey there. Thanks for the email. Apogolize for not responding sooner as I was on vacation for a few weeks with the birth of my son. I have no new information on the Defy at this moment. Wish I had better news but nothing as of now. If anything is new it will be posted on the boards.
Click to expand...
Click to collapse
 
  • Like
Reactions: kHron0S, eiyee and Matze5800
T

Tortuga52

Senior Member
Jan 13, 2011
65
7
@Kaffeekranz

I'm not a pro, but what you said seems that some kernel hacks/overflows could bring it in unsecure mode?
 
K

Kaffeekranz

Senior Member
Dec 29, 2010
240
128
Nonono, I'm saying nothing.
I'm just pointing out some promising phrases in TI's docs.
Although these seem just to refer to a DSP.

There's also very interesting information in the TMS320C674x/OMAP-L1x Processor
Security User Guide.
Many of the security parameters seem to be the same like in the aforementioned document, so they might (what do I know) be similar for all the omap devices and products.
The document needs to be requested here: http://www.ti.com/general/docs/lit/getliterature.tsp?literatureNumber=sprabk7&fileType=pdf
But if somehow your request is rejected I could also upload it at xda.
I think a lot of the information in there might be applicable. (or not)
 

Attachments

  • omapl138-sec-user-guide-sprugq9.pdf
    264.5 KB · Views: 147
Last edited:
You must log in or register to reply here.

Similar threads

samcripp
[Project Cheesecake] Unlocking the DEFY bootloader! - ABANDONED
Replies
839
Views
238K
57op
57op
nidhish91
Defy Custom Kernel Thread[2nd boot source released][Test Kernel released]
Replies
1K
Views
249K
A
americanpittbull
K
  • Locked
(BOOTLOADER UNLOCK SOCIAL MEDIA CAMPAIGN) Operation: Mosh started by [TSON]
Replies
90
Views
22K
2
2Pints
rootdefyxt320
[USERS CAN REQUEST][TUTORIAL]Motorola Defy Mini XT320/XT321 Custom SBF with fastboot
Replies
175
Views
86K
T
tezzar
crakeron
  • Poll
[Guide][zip][Root needed] Unsimlock your Defy (v1.3)[NEW:JB support!]
Replies
521
Views
183K
krestian
krestian

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 23
    V
    viper520
    OK, me again :p
    Finally, I got the unlock truth....from the one who really really knows about embedded development.

    First, "TI OMAP Board Configure Tool" is just a tool from TI, obviously it's not for public download. Just for the companys which bought their OMAP Development Board. This tool can be used for flash the nand chip, configure the kernel arm board, preboot the board (just like the "tethered" in Apple IOS device) etc.
    Second, the 16MB .bin file is a baseboard project file from Moto. This file contains project header, preboot code and a tiny uboot system etc.
    Third, the factory reset mode can be used for configure hardware parameters (such as cpu/ram freq, sensors etc) and software parameters (such as nand write address, device type [s/se], secure switch, environment etc) and hardware self-check.

    The customer service uses the "TI OMAP Board Configure Tool" to configure the broken phone, such as flash firmware, preboot to factory mode etc.
    When they got the broken phone, they use the RSD first, if it does not work they will use the "TI OMAP Board Configure Tool" to preboot the phone into factory reset mode (with baseboard project file).
    In the factory reset mode, hardware self-check is the first thing, if the hardware is OK they will try to configure the software parameters (such as switch off the sercure check so that they can flash *ANY* sbf, empty the environment varible so that the phone will become a eng-board, etc).

    So, the unlocking process is just get into the factory reset mode and switch off the secure check or empty the environment varible(to be eng-board) or open the fast boot mode.

    The truth of the JS unlock process is they use a tool to empty the environment varible, so the IMEI of unlocked device has become an invalid 00000012345 etc. Obviously, this may take some side-effects.

    At last, the man told me that DO NOT SIMPLY TRY TO UNLOCK WITH RECOVERY(or similar utils in phone), because the linux can not access to the most important things, because this things are not stored in mtd partitions, the linux won't (can't) mount then. Or you can just hack the bootloader program to bypass the secure check, but it's difficult!

    He says except the TI tools, we can research on RSD tool and will find some useful addresses, so that we can write some zero into the address and empty the environment varible.

    Now I think there is a easiest way to go, come on everybody let's find out the man who learned to use the JTag (or other) to dump the data of entire nand chip of a unlocked device, and grab out the header of the data. This data is the unlocked configuration.
    View
    20
    K
    kevin_diu
    It can be dangerous for your Defy on this stage!!


    Please donate to our developer, Epsylon3 :
    http://xdaforums.com/showthread.php?t=1446106


    Summary : (Thanks coleho_ and t0desicy)
    http://xdaforums.com/showpost.php?p=21579211&postcount=521
    http://daccurso.eu/defy/

    Helping with unlock :
    http://xdaforums.com/showpost.php?p=21402316&postcount=167

    MMCBLK dump :
    http://www.mediafire.com/?khnvrrr82azwq89

    Full dump from a unlocked defy : (Thanks sykoism)
    http://xdaforums.com/showpost.php?p=21398414&postcount=157

    Quick Links :
    Unlocking steps by customer service: http://xdaforums.com/showpost.php?p=21394172&postcount=137 (Thanks viper520)
    and: http://xdaforums.com/showpost.php?p=21395694&postcount=145 (Thanks ericlaw02)

    And thanks who helping us to trying to unlock bootloader! Any suggestions ARE WELCOME! :D
    View
    18
    S
    scholbert
    Some thoughts....

    Hi folks,

    let me first point out, that i do not personaly own a Defy and that i'm not fully aware of all the bootloaders floating around.
    I had been PM'ed by furrabbit.nh to give some comments on the attempt to unlock the Defy.

    Let me further point out that i am willing to consider the report from the chinese guy as trustworthy.
    So i'd like to refer to this translation over here:
    http://xdaforums.com/showpost.php?p=21395694&postcount=145

    Mmmmh so how to start...
    The security on OMAP processors is a real engineering masterpiece, once the CPU has been set to HS mode.
    By blowing the HS fuse bit the device gets nearly uncrackable.
    There are only to exceptions:
    1. You got Motorolas private key and are able to sign your code
    2. You got a engineering bootloader (signed as well) that does match the hash keys hard-coded into the device

    It seems that there is such a code, if we trust the chinese report :rolleyes:

    So what does omapinfo give us?
    You might refer to the public datasheet of the OMAP3630, which in fact kind of a subset from the OEM variant which includes also all the security stuff.
    Tell me if you need the link or something...

    Code: 
    STATE :      205
    Simply tells us that the device marked as high security device (not in GP mode).
    By setting the HS bit the internal ROM is aware about the use case of the platform.
    In other words the internal ROM code "knows" it is executed on a securtity enabled smartphone.
    The internal ROM's bootcode then treats external devices with certain security aspects and prohibits low level debugging as well (e.g. JTAG access).
    See my thread over here covering the Milestone hardware:
    http://xdaforums.com/showthread.php?t=849632

    Code: 
    PKEY0 : c57aa19e 
PKEY1 : 31fe2d32 
PKEY2 : 2e48bc96 
PKEY3 : 15fcea7b 
PKEY4 : 876578f3
    These device specific hash keys are stored in particular area called efuse bank.
    The dedicated registers simply represent the setting of a particular area of fuse bits.
    Often these bits are unique to a certain platform or device model, in this case all Defy's of a certain series will have the same keys.
    Thoughts about efuses:
    http://xdaforums.com/showthread.php?t=911611
    Maybe it's not up to date concerning all information, but gives an idea.

    The internal ROM loader inside OMAP uses these keys to check the consistancy of the very first loader
    stored in external memory (mbmloader).
    Usually this is NAND flash or an eMMC storage device.

    The ROM knowing it is run in HS mode, then expects a certain format for this very first block as well.
    E.g. there are certain keys to grant the rights for the bootcode to access special memory areas.

    These keys are even higher level security... i really have to skip some points here,
    because i would be too much to explain it all and it's already late.

    Code: 
    CPU-ID: 2b89102f
    This is obvious, if you have a look into the public OMAP3630 manual.
    It also hard coded value and represents the silicon verison the processor itself relies on.
    There's no specific effect on the security lock.
    CPU-ID: 1b89102f -> OMAP36xx ES1.1
    CPU-ID: 2b89102f -> OMAP36xx ES1.2
    So you may find 1. generation and 2. genration devices here... no big deal.
    See page 204 in OMAP36xx manual.

    If the story of the chinese guy is true and the service really handed out the same piece of hardware,
    there might be hope to convert a usual phone to an engineering one.
    The engineering bootloader which is used by Motorola simply has to match the pkeys of the customer phones.

    Another story is to flash this loader succesfully to your device if you have not the right tools. So maybe that's why the service needs this mysterious OMAP board configuration tool.
    A good thing would be to have the original SBF file of that bootcode.

    At least this technique sounds similar to other manufacturers who decided to open up their bootloader.
    I guess my comment is not quite complete, but i'll have to sleep now.

    Anyway i'll have a look here recently and try to answer questions if i'll find some time.
    I also apologize for this technical overdose, but i was asked to put my thoughts down here ;)

    Happy hacking and good luck!

    scholbert
    View
    18
    O
    Otto.BR
    leodfs said:
    @Otto.Br What was your defy problem, where did you take and do you know if it went to anywhere else during repair?:cool:
    Click to expand...
    Click to collapse

    I was changing the bootlogo again with this instructions.
    then i issued a REBOOT comand on terminal emulator and the phone just showed a black screen, then i pulled the battery, and realized the phone was still connected thru USB, after that the phone wouldn't power up anymore. so i took it to the Moto service center in downtown São Paulo (Av. São Luis 153, Galeria Metrópole). they said their lab was unavailable, so they shipped my phone (wich, by the way, is made in Brasil) back to the factory.

    I haven't reallized it was unlocked (SE) until i read this thread, I'll try to flash a Ecláir SBF to se what's what.

    BTW my last SBF flash was JRDNEM_U3_3.4.2_179-002_CEE_DEBLUR for CM7.

    - - - - - - - - - - - - - - - - - - - - - - - - - -

    EDIT: Successfully flashed this 2.1 Ecláir ROM
    JORDN_U3_6.36.0_SIGNED_USAJRDNTMOB1B4B5DE1028.0R_JORDANTMO_P022_HWp3_Service1FF

    EDIT 2: Also successfully flashed the 2.3 Gingerbread Chinese ROM
    p3a_jordan_umts_jordan_china-user-2.3.4-4.5.3-66-62-test-keys-ChinaRetail-CN

    YEAH!! I really have a unlocked DEFY!!!:D
    if you guys need anything from me just ask!

    Now, back to froyo CEE => CM7 :D thanks Quarx, Epsylon 3 and Maniac 103 for this awesome ROM! and everyone else here for the support! my thanks meter went CRAZY! :D
    View
    13
    arpith.fbi
    arpith.fbi
    :(:(:(:(:(

    ---------- Post added at 09:22 PM ---------- Previous post was at 09:22 PM ----------

    M so sorry guys to inform that, but today it dint workout :( :( .. talk just broke down it between...
    Anyways i have told my classmate who works for Nokia Siemens in Bangkok to ask her Motorola guys for such tools.:p
    I will also be trying to talk to another classmate who is in Texas Instruments for the OMAP tool..
    The treasure hunt has begun...we will do watever u can to get the "KEY" to the treasure...we know tat only unlocking bootloader can unlock the door of unlimited opportunity :)
    I know u guys had some hopes on me today..but its not just today..the day will come :) :)
    I will be traveling 500km tomorrow to talk to one more guy who can help :)
    View

New posts