[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!

Search This thread

seaskyways

Senior Member
Feb 13, 2012
574
344
beirut
Strong indication for misc brick


Right. Also indicator of misc usb brick



Yes. Depending on which device CID you have. I can only give you the misc.img of HTC_EU Devices.

However, if you are able got get a misc.img according to your country you can fix your misc brick. this is what I've done: http://xdaforums.com/showthread.php?p=23175308&highlight=enableqxdm#post23175308

So, basically all you need is a working misc.img for your phone. if you have it I can tell you how to exactly unbrick. because this is a bit tricky depending on several things

Hey , please , I tried whatever methods , because i have a mini-usb brick over here and once i got this mini-usb brick on my brother's wife phone so i knew it is in the misc , but i reflashed the bootloader and it was okay , whereas mine is wierdo , so if you may please make a Thread for it in the general or even in the Desire S :p just that we need it here ! because you may have done something tricky as you said ...

For the S-off i have been watching everything , and i am learning more from what i read :D thanks Theq (pressed) :)
 

theq86

Senior Member
Jan 6, 2009
930
719
37
Nuremberg
Nothing Phone 2
!!Yes please!!. I've been trying to get this thing working for 3 weeks. The only place it can do any good is in my car as a music player. I feel like an iPhone user stuck with tethered jailbreak.

If you gave me your misc.img would I be able to hex edit my CID (or super CID it) before flashing?

Thanks again

EDIT: I also did enableqxdm but not having a valid misc to flash I remained USB bricked

I attached my misc.img.

What you have to do is: make sure your sdcard works (should do after enableqxdm), go into your rom (must be rooted), get the flash_image tool (it is inside one of the attached files in this thread) and then do: flash_image misc /mnt/sdcard/misc.img
 

Attachments

  • misc.img.zip
    942 bytes · Views: 13

no.human.being

Senior Member
Oct 29, 2011
981
987
I attached my misc.img.

What you have to do is: make sure your sdcard works (should do after enableqxdm), go into your rom (must be rooted), get the flash_image tool (it is inside one of the attached files in this thread) and then do: flash_image misc /mnt/sdcard/misc.img

Don't know about the "flash_image" tool, but the "nandwrite" tool from "mtdutils" is part of our exploit. I think "flash_image" is part of CWM recovery.

i have sold my WFS :D thanks for any help guys , i will be going to desire Z :D:D or Incredible S !

I probably wouldn't go for an HTC again. I'd go with a Samsung. Galaxy S2 or Galaxy Nexus. I'll probably get one of those after the successors are out and prices have dropped.

If you know where the locked upper and lower partitions are (around what we have access to at the moment which is mainly in the visible system we can alter) we could simply dump all info surely? alter the partitions maybe? Get the phone to 'unlock' the 'Block Lock' then all data outside what we can map already should be mappable (if not already held in the radio area we cannot access), as any space as with oob is read around to the next readable location, the (lets say 2 seperate partitions - as we use the 1 in between them now) 2 partitions would simply be read and the oob section (our in use now partition) would be skipped until the next readable location. There is no block on reading and writing except for what is within the given partition on NAND and what is held as 'protected' as with AMSS you may need keys/signed software (as with EUU/RUU).

So you claim that there's STILL more memory than what we can see at this point? Remember that the NAND is specified to have a capacity of 512 MiB (plus a bit of out-of-band area for error correction) and that we can access addresses 0x00000000 to 0x1fffffff physical if we pass kernel parameters. Where will that "protected" area be and what do you expect it to store? We have already gained access to the "Radio partition" containing the code running on mARM (including Pistachio, Iguana, AMSS) some time ago. It starts at 0x00000000 physical (at least what aARM sees as "physical" .. if the read/write commands are intercepted by the Radio it might actually do another address translation) and is contiguous (or at least looks contiguous from the aARM's point of view). However, its size (and obviously content) varies among different builds of the Radio firmware.

Now I just hope I make as much sense as you do ;)

You're obviously much more into this than I am. Thank you very much, this was extremely informative! I'm gonna click "thanks" as soon as I have more thanks available. :D

Why make the assumption that only ONE has access? don't forget that there are two Data Buses, two Data Movers, separate and joint RAM in MSM chip and two kernels running, one as a high level OS the other closer to machine code, it is quite viable they could both have access but only either one at a time or as the MSM chip is (and if the NAND is) capable as RISC operations.

Well, as long as aARM has direct access (meaning it can directly put commands on the memory bus instead of having to ask the Radio to put a command on the memory bus), there won't be anything that could prevent us (with our kernel running on the aARM) from unlocking the entire NAND and then writing to the Radio area. If we can write to the Radio area we can patch the HBOOT and obtain S-OFF. This means that, as soon as we have a kernel which can issue "unlock" commands to the NAND, our exploit will just work.

However, if the Radio is acting as a "man in the middle" between NAND and aARM, meaning all memory requests muss pass through the Radio firmware, they could easily have integrated a filter that blocks requests that are affecting the protected memory areas, making our solution intractable. It basically makes our most fundamental assumption of our exploit, namely that our kernel has actual physical memory access, wrong and I'm not sure whether we will come up with a solution for this case as well, since there is basically now a higher-privileged instance below us that can control what we're doing.
 
Last edited:
  • Like
Reactions: Antagonist42

no.human.being

Senior Member
Oct 29, 2011
981
987
Traitor.

Joking, bye bye, I'd also advise a Samsung.

Yeah, but even the Nexus phones have proprietary components in their firmware that are locked down, right?

Btw, is there any completely open firmware build for an Android device yet or will our attempt of porting UBOOT and building Pistachio/Iguana from source be the first?
 

Antagonist42

Senior Member
Feb 5, 2012
682
248
52
Bolton
Darn dang and piffle... stuffed my PC again lol

Think my.next move is see if the 'CHECKHTC.exe' can be made executable without being run as part of an EUU/RUU and see if can gain access to NAND without anything else except adb and fastboot.

Woohoo 10 mins and still loading windows personal settings lmao I gotta get around to sorting myself out a Linux system:rolleyes:

ROOTED ACER E320/C6 ;-)
 

no.human.being

Senior Member
Oct 29, 2011
981
987
I think RUUs only transfer a "ROM.zip" to the phone and let HBOOT flash it.

Btw, I've just been skimming through the UBOOT sources. Man that bootloader is awesome! You can even boot and flash kernels over a network (WiFi?) connection! :D

It also has a "remote shell" with a full-featured command line interpreter behind that lets you change the processor configuration, dump and program volatile (RAM) and persistent (NAND) storage, lock and unlock pages (by default the pages holding UBOOT itself are flagged as "locked", but this is just to prevent "accidents" and can be disabled via the shell with a simple "protect off <range of sector numbers>" command) and much much more. It can do a lot more than HBOOT can, but it's gonna have its own utilities and will not support Android SDK utils like Fastboot.
 
W

Wolf Pup

Guest
You have go to get that UBOOT on my phone right now! And add ADB and fastboot support, of course! It's a shame. You have a brilliant bootloader, but it doesn't support basic Android utils. Can't have the best of both worlds.

I've been wondering what would happen if all the devs suddenly ditched us. By the way, you remember the first exploit? The one where you have that zip you flash in HBOOT, that you leave on the root of the SD card? What did that actually do, other then brick the camera?

Sent from my HTC Wildfire S A510e using XDA
 

alc027

Senior Member
Nov 22, 2011
217
61
Last edited:

alc027

Senior Member
Nov 22, 2011
217
61
It's "Das U-Boot". It's a play on words. U-Boot is short for "Universal Bootloader", but it is also German for "submarine" and "das" is the definite article, like "the" in English, so "Das U-Boot" means "the submarine". :D

Lol... I didn't know UBOOT was a real thing, just a misspelling of HBOOT, and made a joke about it. In particular it stands for unterseeboot which means literally Undersea Boat.
 

no.human.being

Senior Member
Oct 29, 2011
981
987
Lol... I didn't know UBOOT was a real thing, just a misspelling of HBOOT, and made a joke about it. In particular it stands for unterseeboot which means literally Undersea Boat.

Lol! UBOOT is the bootloader for embedded Linux. It's GPLed software and boots practically all "non-smartphone/tablet/pda" embedded devices, like routers, satellite receivers (in fact it also boots the actual satellites themselves :D ), printers, etc. :D
 

alc027

Senior Member
Nov 22, 2011
217
61
I attached my misc.img.

What you have to do is: make sure your sdcard works (should do after enableqxdm), go into your rom (must be rooted), get the flash_image tool (it is inside one of the attached files in this thread) and then do: flash_image misc /mnt/sdcard/misc.img

All good mate, thanks heaps. No ADB or UMS made root challenging. I used Wifi Sync Manager and Terminal Emulator (it's painful as hell trying to find underscores and overloading operators on the stock HTC keyboard). All sorted now.

Thanks again!

EDIT: Any ideas how we went wrong in the first place? And how did you have the foresight to back up your misc partition?
 
Last edited:

Antagonist42

Senior Member
Feb 5, 2012
682
248
52
Bolton
ALWAYS back it up before if you can as you're essentially entering deep water with flashing or you can leave your BRICK in the water lol

Unlike MY phone which I tried CWM Titanium and dd and a few dump apps but ended up with nothing but finally found Xakep on Club-Acer.ru who managed to work out a Rom Flash to get root on ACER C6 .... all I have to do now is work out how to regain my Radio version back up to 1.013.0000 from 1.008.0000 (although the actual Radio is still 1.013 I think) seeing as now neither Xakep update or ACER EUU will NOT complete now :D
 
Last edited:
  • Like
Reactions: no.human.being

Antagonist42

Senior Member
Feb 5, 2012
682
248
52
Bolton
Here's a list of all the NAND chips I've come across mentioned within files for updates for HTC devices (including this bleeding ACER :p) and I think if I remember rightly the one that least shows up is probably your chip (as that's how I found out mine before actually confirming it was that one....kinda a hunch)...

MICRON MT29F4G16ABC
MT29F2G08ABD
MT29F2G16AAD

SAMSUNG KA100H002G

NUMONYX NAND02GR4B2D
NAND04GR4B2D

SAMSUNG K524G2GACB

HYNIX H8BCS0UN0MCR

MICRON MT29F1G08
MT29F1G16

KFW4G16Q2M-DEB8
KFN4G16Q2M-DEB6
KFM4G16Q2A

Let me know which you may have and I'll see what I can find on them, not sure how much space is on them but mine is the MT29F4G16ABC so whatever the 4G comes to in real Mb (4G is Giga bit NOT Bytes).....
.....:rolleyes: found it lol 512Mb (that's why 512Mb of Ram runs out so fast loading so much into it :rolleyes: that's why my old LG GT540 has about as many apps as this ACER before it's full :D) right where's my adb and hex edit? I'm having this!
 
  • Like
Reactions: no.human.being

no.human.being

Senior Member
Oct 29, 2011
981
987
I'm a professional application developer. I'd even make a backup of my girlfriend if it were possible. That's Rule1 before you touch anything. Backup, Backup, Backup!

Right, that's one reason why I like Linux. Just backup all files under "~". The other files are system-specific and will be restored (or replaced) on a reinstall. Backups of "~" are performed on a daily basis and stored on an external drive.

When I don't have copies of my data on at least two completely independant media I'm gonna start panicking. :D
 

Top Liked Posts