[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!

no.human.being · Nov 4, 2012

schlund said:
nhb please share the binary you are loading, seems your hboot simply needs to be hacked to stay in bl/fb mode

"loader.bin" is the exploit code.
"hboot_109.img" is the (hacked) HBOOT-1.09.0099 (shell code).
"chain_109.img" is an Android boot image for the WFS containing the concatenated "loader.bin" + "hboot_109.bin" as kernel and an empty (0 byte) initrd.

Key is the same as previous archive and will arrive via PM.

If you know what to change, please let me know.

Thanks for contributing.

EDIT: bgharz16 has just asked me how to analyze HBOOT images. I'm gonna post this in public in case anyone else wants to know as well.

what am i supposed to change, if i want to, display a different version, for eg?? In general, i'm asking.. Could you provide a tutorial or a link to a tutorial on how to read sonething using a hex editor?? And on how to change values in an Hboot image??

The HBOOT image is raw machine code from the first to the last byte. No headers or other data structures, nothing. It begins with the bytes "12 00 00 ea", which is the instruction 0xea000012 or "b 0x50" disassembled, an unconditional branch instruction to address 0x50 physical).

In a hex editor I'd search for the string "1.09.0099" (or whatever HBOOT version you're analyzing). You'll find it at offset 0x4. Then just change it, but be careful to overwrite in-place only. Never "insert" or "remove" something as this will mess up all the addresses so that branch instructions will miss their target etc.

To understand the code, you'll want to put the HBOOT image through an ARM disassembler, e. g. "arm-none-eabi-objdump -D -b binary -m armv5 hboot_109.img > hboot_109.s" will disassemble the "hboot.img" into a file called "hboot.s" containing the corresponding assembler source. Mind that this is machine code, so there are no loops and conditions and function calls and other flow-control, there's just conditional branches. There are also no variables, just registers. It won't be easy to read, but that's just how it is. It's boot code so it's very low-level.

For example the first instruction you see in HBOOT-1.09.0099 is the following.

Code:

       0:	ea000012 	b	0x50

This is where execution begins. It immediately branches to 0x50. There it does some very obscure "bashing" that performs some low-level configuration for the ARM. Then it performs a "branch with link" to 0x410. A "branch with link" is usually a subroutine call, but in this case the subroutine is not expected to return.

Code:

      94:	eb0000dd 	bl	0x410

There a lot of stuff is done. The interesting thing is from 0x4d4.

Code:

     4d4:	e59f0010 	ldr	r0, [pc, #16]	; 0x4ec
     4d8:	e3500000 	cmp	r0, #0
     4dc:	ee011f10 	mcr	15, 0, r1, cr1, cr0, {0}
     4e0:	e1a0f000 	mov	pc, r0

It loads the value from 0x4ec into register r0 ("ldr ..." = load register), then does some comparison ("cmp r0, #0" = compare register 0 to the value 0) and some more "bashing" ("mcr ..." .. mmh not sure about that .. move coprocessor register?!) and then it moves the content of register r0 into the program counter pc ("mov pc, r0" = move register 0 into the program counter). So the value from 0x4ec ends up in the program counter and execution will continue there. What value is at 0x4ec?

Code:

     4ec:	9d000800 	stcls	8, cr0, [r0, #-0]

Ah the value is 0x9d000800. This is a virtual address and it corresponds to 0x800 physical. Let's see what's there.

Code:

     800:	ea000001 	b	0x80c
     804:	9d0738a4 	stcls	8, cr3, [r7, #-656]	; 0xfffffd70
     808:	9d07ccc8 	stcls	12, cr12, [r7, #-800]	; 0xfffffce0
     80c:	e51f0010 	ldr	r0, [pc, #-16]	; 0x804
     810:	e51f1010 	ldr	r1, [pc, #-16]	; 0x808
     814:	e3a02000 	mov	r2, #0
     818:	e5802000 	str	r2, [r0]
     81c:	e2800004 	add	r0, r0, #4
     820:	e1500001 	cmp	r0, r1
     824:	1afffffb 	bne	0x818
     828:	e59fd37c 	ldr	sp, [pc, #892]	; 0xbac
     82c:	ea0000e5 	b	0xbc8

This zeroes the area from 0x9d0738a4 (inclusive) to 0x9d07cc8 (exclusive) word by word, 4 bytes at a time. This is the BSS segment. Then it branches to 0xbc8. This is sub "main".

This is how you analyze an HBOOT image. If you want to change something, just change it. Keep in mind that all words start at an address that's a multiple of 4 and are always 4 bytes (32 bits) long. They are also stored as "little endian" values, which means that if you read the bytes "12 34 56 78" in a hex editor, this will decode to 0x78563412 for the processor (bytes in a word are read "right to left", but the bits inside each byte stay in the right place). The disassembly will also show 0x78... in this case.

GuestK00178 · Nov 4, 2012

heavy_metal_man said:
Allowing you have the device you would need the adapter for the wildfire s, to work out a way to rig the battery to the motherboard when the phone is stripped and the chain loader exploit I think. If you manage to get everything set up correctly then it would be a matter for performing the chain loading exploit and "capturing" the results to see what is returning the stock bootloader. Assuming the riffbox has the support it says, I believe that you can step by step the processes to the processor which will allow us to see exactly what is causing the issue and patch the issue. Thus gaining s-off

What do you mean by adapter for the wildfire s? If it is separate where do I get it?

Sent from my Baconator Over-9000

no.human.being · Nov 4, 2012

Tezlastorme said:
What do you mean by adapter for the wildfire s? If it is separate where do I get it?

JTAG interfaces (Riffbox, etc.) have a 20-pin JTAG connector, which you won't find on the board of the phone for obvious reasons (it's too large). JTAG on the phones is just available as signal traces on the PCB. The "JTAG adapter" is a (phone-specific) circuit board, which has a 20-pin JTAG pin header to connect to a JTAG interface and small needles that pierce through the insulation on the phone's board to "tap into" the JTAG traces.

The JTAG adapter for the Wildfire S is available through this Polish distributor. On the picture you see the 20-pin JTAG header. On the other side of the PCB you have the needles. To perform JTAG debugging on the phone, you need to open it up and remove the board, disconnecting all peripherals such as LCD display, etc. Then you press the JTAG adapter against the board using considerable force so that the needles can "cut through" the insulation and tap the JTAG traces. I used a pair of strong clothespegs to keep pressure on the needles while debugging.

The second problem is that, after you have disconnected everything from the board to remove it from the phone, you won't have a battery housing anymore. The phone will only boot if there's a battery connected (or at least it think there is a battery connected). If you want to avoid connecting the actual battery, you'll need to "emulate" it. "Emulation" must be fairly sophisticated using a regulated DC supply adjusted to 4 V (a Lithium cell has a "nominal voltage" of 3.7 V but it may go to about 4 V when fully charged) and several resistors. I have described the setup here.

Note that you only need a Lithium cell to boot the phone (which you need to do if you want to debug the boot code for obvious reasons). JTAG works without Lithium cell as long as power is provided via USB. This way you can use JTAG to program the phone (write stuff to NAND etc.) but for booting you will need to provide (or emulate) a Lithium cell.

schlund · Nov 4, 2012

thank you. attached a dirty hacked hboot for testing, i removed several "enter"-options only left fastboot mode .. just to see if it works

(password as known)

no.human.being · Nov 4, 2012

schlund said:
thank you. attached a dirty hacked hboot for testing, i removed several "enter"-options only left fastboot mode .. just to see if it works

(password as known)

I cannot test the code as I don't have a Wildfire S, but what exactly did you change? Seems that some pointers are now pointing somewhere else. Aaah, you made that thing always jump to Fastboot mode right?

schlund · Nov 4, 2012

no.human.being said:
I cannot test the code as I don't have a Wildfire S, but the only difference I see is in the page tables?!

uff, so i need some instructions how to use the loader.

what i have done is quite simple, i have changed this kind of "switch case" function.i made the locations of every case stored in 32-bit words to the "fastboot" location, so it has no other possibility than entering this one.

EDIT (as addition to your edit): yes

no.human.being · Nov 4, 2012

schlund said:
uff, so i need some instructions how to use the loader.

what i have done is quite simple, i have changed this kind of "switch case" function.i made the locations of every case stored in 32-bit words to the "fastboot" location, so it has no other possibility than entering this one.

Yeah yeah, I've seen it now. Forget the thing I said about page tables, they look similar but are stored at a lower address.

Using the chainloader exploit is not THAT difficult.

The word at 0x4 is the physical address where the shell code (HBOOT code) will lie when the exploit is running. If you use the "mkbootimg_wfs" utility, it's usually 0x12c08000 (address where the kernel will be loaded by the bootloader on the phone, you'll find this as a little-endian value in the boot image at offset 0xc) plus the size of the exploit code (which is 0x88 bytes if not modified) for a final value of 0x12c08088.

The word at 0x8 is the address where the chainloader exploit will move the shell code to before executing it. This is where the boot code will physically end up in memory and should be left at zero.

The word at 0xc is the size of the shell code in bytes. This is 0x80000 (524.288 bytes) for a normal HBOOT image, since this is the size of the "hboot" partition in NAND.

Remember that all words are little-endian so you'll have to write "88 80 c0 12" in your hex editor for address 0x12c08088 and "88 00 00 00" for 0x00000088 shell code size. What the exploit does is move <word at 0xc> bytes in memory from physical address <word at 0x4> to physical address <word at 0x8>, then disable MMU, caches, etc. to make it appear as if the processor is coming out of a reset and then set the program counter to the address where the code has been moved to (<word at 0x8>).

To combine the exploit with the payload, just concatenate them.

Code:

cat loader.bin hboot_109.img > chain_109.bin

Next create an empty ramdisk.

Code:

echo "" > initrd

Make a bootable Android image.

Code:

./mkbootimg_wfs --kernel chain_109.bin --ramdisk initrd -o chain_109.img

Put the phone into Fastboot mode, then boot the image.

Code:

./fastboot boot chain_109.img

Start holding "Vol-Down" when issuing the Fasboot command to make sure that the "chainloaded" bootloader does not proceed booting into the ROM. In our tests, it would show its boot screen (our "hacked" HBOOT will show "S-OFF" and an "*** INJECTED ***" banner at the top) for about a second or so, then it would revert to "normal" S-ON HBOOT which will show its boot screen in case you're still holding Vol-Down or just boot into the ROM if you released the Vol-Down button in the meantime.

schlund · Nov 4, 2012

great, ty, sounds simple, one final question, could you attach the "mkbootimg_wfs" utility ?

no.human.being · Nov 4, 2012

schlund said:
great, ty, sounds simple, one final question, could you attach the "mkbootimg_wfs" utility ?

Of course. Credit goes to xda-member "pther", who created this wonderful utility.

#define · Nov 4, 2012

Please dont mind this little OT..

But thanks a million NHB..!!
You are teaching me more than my college professors...

artturnip · Nov 4, 2012

Right... nhb... can you say with a good amount of belief that this won't brick the phone?

If so, I'll be happy to test this if given a tutorial for a noob who doesn't even use Linux as his OS

Sent from my Wildfire S A510e using xda app-developers app

no.human.being · Nov 4, 2012

artturnip said:
Right... nhb... can you say with a good amount of belief that this won't brick the phone?

As long as the boot code has no reason to flash anything (no "fastboot flash ..." instruction and no "PG76IMG.nbh" on the SD card) it should not brick the phone.

artturnip said:
If so, I'll be happy to test this if given a tutorial for a noob who doesn't even use Linux as his OS

I think "schlund" can test this himself. At least his signature says "Devices: HTC HD MINI (CM 7.2) | HTC WILDFIRE S (CM 7.2)" so it seems he has a WFS.

schlund · Nov 4, 2012

well, my phone was just "s-off" but to use fastboot boot command i had to unlock it, too, of course in a way without losing warranty

so this took me some time.
finally i was able to test, but unfortunately it wasn't sucessful, yet.
have to do some further research

EDIT: Found out that i have to edit "default" case (seems that this is the case we jump into, cause that pointer to 0x9d0742b0 is empty (well, not "empty" but filled with 0xFF)
it stays in hboot now (no sd checks anymore) and shows "FASTBOOT", as expected. unfortunately usb is not working and we cannot use the keys.
but honestly, thats what i have expected, too

(known from my other device). we have to hack it now to autoconnect usb in fastboot mode.

no.human.being · Nov 5, 2012

schlund said:
well, my phone was just "s-off" but to use fastboot boot command i had to unlock it, too, of course in a way without losing warranty
so this took me some time.
finally i was able to test, but unfortunately it wasn't sucessful, yet.
have to do some further research

EDIT: Found out that i have to edit "default" case (seems that this is the case we jump into, cause that pointer to 0x9d0742b0 is empty (well, not "empty" but filled with 0xFF)
it stays in hboot now (no sd checks anymore) and shows "FASTBOOT", as expected. unfortunately usb is not working and we cannot use the keys.
but honestly, thats what i have expected, too (known from my other device). we have to hack it now to autoconnect usb in fastboot mode.

Wow that sounds GREAT! I'll give you thanks as soon as I have some available.

USB connection does not work because it's initialized by the code that gets "skipped" when going straight to Fastboot mode?

artturnip · Nov 5, 2012

Seriously... I'll test if you want me to... l

Sent from my Wildfire S A510e using xda app-developers app

no.human.being · Nov 5, 2012

@schlund: Are you sure that the problem is actually "USB and keys not working"? I mean how can you distinguish between an HBOOT that is neither responding to USB nor responding to keypresses and an HBOOT that has crashed (e. g. entered an infinite loop)? Both won't show any "signs of life", will they?

If you have followed the thread for a long enough time, you'll know that even without your modification, when there is no SD card in the phone, HBOOT will show its menu and then "crash" (enter an infinite loop). When there's an SD card in the phone, it will check it for the "PG76IMG.nbh" and "PG76DIAG.nbh" files and then "revert" (restore stock HBOOT from NAND). I suspect that the behaviour with the "Fastboot hack" in place is the same as on a stock HBOOT booting to the HBOOT menu with no SD card in place.

BeciMester · Nov 5, 2012

The "switch case" that schlund edited handles the keypresses and the SD card init, that's why they're not working now. Not sure about USB but most probably it's done there somewhere too. It's not frozen, but without keys or USB there's no way to interact with it so it looks like it's frozen.

(I'm on my One X...)

no.human.being · Nov 5, 2012

BeciMester said:
The "switch case" that schlund edited handles the keypresses and the SD card init, that's why they're not working now. Not sure about USB but most probably it's done there somewhere too. It's not frozen, but without keys or USB there's no way to interact with it so it looks like it's frozen.

Good to know. So USB and keys are not working because the switch-case is edited to always (re-)enter Fastboot mode on any event, right?

So basically the HBOOT enters its "main loop", then polls for events.
- If any key was pressed --> enter Fastboot mode.
- If USB was connected --> enter Fastboot mode.
- If SD card was inserted --> enter Fastboot mode.
- If nothing happened --> enter Fastboot mode.

That's about what it does now, right?

dbunic · Nov 6, 2012

First my apology for OT. I have just have one question:

Is it possible to unbrick Samsung Galaxy Mini S5570 (it has msm7227 Qualcomm chip and OneNAND storage) with Clone wiggler and OpenOCD software?

I have built Clone wiggler and I think communication with hard bricked S5570 is established (just search for my first post to see details and images). I'm stuck at this point and any hint, direction or guidance is more than welcome.

Thanks in advance!

GuestK00178 · Nov 6, 2012

Do know for a fact that the riffbox software supports debugging?

Sent from my Baconator Over-9000

[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!

Senior Member

Attachments

GuestK00178

Guest

Senior Member

Senior Member

Attachments

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Attachments

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

GuestK00178

Guest

Similar threads

Top Liked Posts