(emphasis by me)(0.90.0000 hboot + 7.54.39.08M radio + 4K partition layout phone) look for the 6th bit at 0x201C in the misc partition. If it is '1' then we got s-on. If it is '0' we got hboot s-off.
Yes there are indeed two checks done, and you may have just shed some light on the second one!I rather thought about that may be two sec flags: h-boot s-flag and radio s-flag (master s-flag). You are right about "that strange "special" Radio" but why it works only with the 0.90.0000 hboot?
9D008698 STMFD SP!, {R4,LR} ; Save registers
9D00869C BL sub_9D04414C
9D04414C STMFD SP!, {R4,LR} ; save registers
9D044150 BL sub_9D04CE00
9D04CE00 STR R4, [SP,#var_4]!
9D04CE04 LDR R3, =0x9D086A8C
9D04CE08 LDR R4, [R3] ; R4 = 0xBD100000
9D04CE0C ADD R4, R4, #0xFC000 ; R4 = 0xBD1FC000
9D04CE10 ADD R4, R4, #0xA0 ; R4 = 0xBD1FC0A0
9D04CE14 LDR R0, [R4] ; value from 0xBD1FC0A0 into R0
9D04CE18 AND R0, R0, #1 ; clear all but 1st bit
9D04CE1C LDMFD SP!, {R4} ; restore registers
9D04CE20 BX LR ; return
9D044154 LDMFD SP!, {R4,PC} ; return again
9D0086A0 CMP R0, #0 ; if R0 is not 0...
9D0086A4 MOVNE R0, #1 ; ...load 1 into R0 ...
9D0086A8 LDMNEFD SP!, {R4,PC} ; ...and return
9D0086AC BL sub_9D00769C ; if the first check passed...
9D00769C STR R4, [SP,#var_4]! ; save registers
9D0076A0 LDR R3, =dword_9D07A2DC ; = 0x60303000
9D0076A4 LDR R4, [R3] ; R4 = 0x60303000
9D0076A8 LDR R3, =0x101C ; load the offset
9D0076AC LDR R0, [R4,R3] ; value from 0x6030401C into R0
9D0076B0 LDMFD SP!, {R4} ; restore registers...
9D0076B4 BX LR ; ...and return
9D0086B0 MOV R0, R0,LSR#5 ; shift to the right 5 times
; (move the 6th bit into 1st)
9D0086B4 AND R0, R0, #1 ; clear all but 1st bit
9D0086B8 LDMFD SP!, {R4,PC} ; return
This makes me think that the "jtag dump" is not accurate. I used the hboot's own built-in memory dump routine to extract the RAM content, and that dump is the exact match of the raw hboot data. Could you have a look at how often the differences occur? They seem to follow a pattern, like after every 0x200 bytes one 4-byte block is missing or something. EDIT: the missing bytes you highlighted are part of the page table and if they were really missing the whole thing wouldn't work. So the dump must be inaccurate.BTW...
Look how the hboot is written in NAND. There is a lot of small differences... You use a raw hboot image but what if you could try with the hboot image extracted from the jtag dump (WildFireS_Full_alive.bin)? Maybe that causes restoring in your exploit?
no.human.being said:However, I think that the HBOOT that aARM "sees" (remember that this is not what's actually in NAND - for example the Radio code that aARM sees looks VERY different compared to the code that's actually stored in NAND) is the same that is in the nb0 and not what is in the JTAG dump (and therefore probably in physical NAND).
no.human.being said:We have KNOWN for some time that they perform two checks, but why? Is it for easier testing? Their developers probably test on Radio S-OFF devices. Do they perform this "misc"-check to allow their devs to easily enable security temporarily on their devices by changing a bit in the "misc" partition?
I agree. Munjeni also said that. So that jtag dump may be proper.
4d4: e59f0010 ldr r0, [pc, #16] ; 0x4ec
4d8: e3500000 cmp r0, #0
4dc: ee011f10 mcr 15, 0, r1, cr1, cr0, {0}
4e0: e1a0f000 mov pc, r0
4e4: e1a00000 nop ; (mov r0, r0)
4e8: fff00000 ; <UNDEFINED> instruction: 0xfff00000 ; IMB
4ec: 9d000800 stcls 8, cr0, [r0, #-0]
800: ea000001 b 0x80c
804: 9d0798d0 stcls 8, cr9, [r7, #-832] ; 0xfffffcc0
808: 9d08d324 stcls 3, cr13, [r8, #-144] ; 0xffffff70
80c: e51f0010 ldr r0, [pc, #-16] ; 0x804
810: e51f1010 ldr r1, [pc, #-16] ; 0x808
814: e3a02000 mov r2, #0
818: e5802000 str r2, [r0]
81c: e2800004 add r0, r0, #4
820: e1500001 cmp r0, r1
824: 1afffffb bne 0x818
828: e59fd37c ldr sp, [pc, #892] ; 0xbac
82c: ea0000e5 b 0xbc8
bc8: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr}
The micro-switches were worn out. It was still usable, but I decided to send it to HTC to have it fixed before the warrenty period ends. However, they said that the board on which it is based is no longer produced by their supplier, so they can neither replace the board on it nor manufacture new devices of this type, so the device is basically discontinued. Since they don't have any devices left in stock, they could not send me a replacement device either, so they offered me a refund of the entire price I paid for it. Good news for me, as I basically had a phone now for one and a half years basically without paying anything for it, but it also means that I don't have access to the device anymore.
I'm on a Samsung Galaxy Nexus now. As you know that one's based on an OMAP4460 chipset, which has absolutely no security in place, so there's currently nothing I could hack.
No!! Chances of s-off our wfs will be gone
Sent from my HTC Wildfire S A510e using xda app-developers app
Are they expensive? Or will it just not work with jtag? Yes... I know of the voltage problems... I have been following this thread. But can we fix that?
Maybe we should harass Lauterbach as Qualcomm use them
GT540 - E320 is poorly
Well I basically did a lot of of low-level (mostly hardware) stuff to the phone recently, not so much actual development. I found out how to configure OpenOCD (don't know whether the configuration is any good, since lots of values are more "good guesses" than actual knowledge but at least it's a starting point). I found how to get the board to boot without being attached to the Lithium cell which is not important for getting JTAG access (because this works as long as the board has power supply, being booted is not neccessary for JTAG to work) but will later be needed for tracing through the boot code, since the phone won't boot without what it thinks is a Lithium cell. However, I didn't get the debugger running yet. I suspect that the processor's logic level might be too low for the JTAG equipment. I don't really have an idea how to work around that yet, I might need to build a circuit that boosts the processor's JTAG signal to the appropriate voltage level (a so-called "level-shifter").
Apart from that munjeni and Antagonist42 also seem to make progress, but I must admit that I wasn't really able to keep track of all the things that they were doing recently. So basically we're now down at the actual physical layer and messing around with the electrical stuff that's going on on the phone's board and trying to find a way of actually talking to the processor to get the on-chip debugging working.
The far goal will be getting a patched HBOOT that has signature verification removed loaded into the device's memory via JTAG, then flash a patched HBOOT image via Fastboot. If this works it will be the first S-OFF GSM WFS that's neither shipped S-OFF nor turned S-OFF via xtc-clip, but this might still be a long long way.
.... Files and Documents Scavenged from the net for our use .. enjoy ....
Please message me if you require the docs and HAVE 10 "relevant" / "DEV-MOD" postings as "10 and in" to satisfy postings and links requirements will be ignored.
Great! How you got it? Trought fastboot boot command?? Maybe I can help? If this can working there will be a lot off s-off devices using your method!If you no want to risk I will test your code on my aria!
~ # cat /proc/mtd
dev: size erasesize name
mtd0: 00100000 00040000 "misc"
mtd1: 00500000 00040000 "recovery"
mtd2: 00340000 00040000 "boot"
mtd3: 10400000 00040000 "system"
mtd4: 02300000 00040000 "cache"
mtd5: 09600000 00040000 "userdata"
mtd6: 00a00000 00040000 "devlog"
mtd7: 02fc0000 00040000 "radio"
~ #
~ # cat /dev/mtd/mtd7 > /sdcard/radio.img