I attached my misc.img.
What you have to do is: make sure your sdcard works (should do after enableqxdm), go into your rom (must be rooted), get the flash_image tool (it is inside one of the attached files in this thread) and then do: flash_image misc /mnt/sdcard/misc.img
Don't know about the "flash_image" tool, but the "nandwrite" tool from "mtdutils" is part of
our exploit. I think "flash_image" is part of CWM recovery.
i have sold my WFS
thanks for any help guys , i will be going to desire Z
or Incredible S !
I probably wouldn't go for an HTC again. I'd go with a Samsung. Galaxy S2 or Galaxy Nexus. I'll probably get one of those after the successors are out and prices have dropped.
If you know where the locked upper and lower partitions are (around what we have access to at the moment which is mainly in the visible system we can alter) we could simply dump all info surely? alter the partitions maybe? Get the phone to 'unlock' the 'Block Lock' then all data outside what we can map already should be mappable (if not already held in the radio area we cannot access), as any space as with oob is read around to the next readable location, the (lets say 2 seperate partitions - as we use the 1 in between them now) 2 partitions would simply be read and the oob section (our in use now partition) would be skipped until the next readable location. There is no block on reading and writing except for what is within the given partition on NAND and what is held as 'protected' as with AMSS you may need keys/signed software (as with EUU/RUU).
So you claim that there's STILL more memory than what we can see at this point? Remember that the NAND is specified to have a capacity of 512 MiB (plus a bit of out-of-band area for error correction) and that we can access addresses 0x00000000 to 0x1fffffff physical if we pass kernel parameters. Where will that "protected" area be and what do you expect it to store? We have already gained access to the "Radio partition" containing the code running on mARM (including Pistachio, Iguana, AMSS) some time ago. It starts at 0x00000000 physical (at least what aARM sees as "physical" .. if the read/write commands are intercepted by the Radio it might actually do another address translation) and is contiguous (or at least looks contiguous from the aARM's point of view). However, its size (and obviously content) varies among different builds of the Radio firmware.
Now I just hope I make as much sense as you do
You're obviously much more into this than I am. Thank you very much, this was extremely informative! I'm gonna click "thanks" as soon as I have more thanks available.
Why make the assumption that only ONE has access? don't forget that there are two Data Buses, two Data Movers, separate and joint RAM in MSM chip and two kernels running, one as a high level OS the other closer to machine code, it is quite viable they could both have access but only either one at a time or as the MSM chip is (and if the NAND is) capable as RISC operations.
Well, as long as aARM has
direct access (meaning it can directly put commands on the memory bus instead of having to ask the Radio to put a command on the memory bus), there won't be
anything that could prevent us (with our kernel running on the aARM) from unlocking the entire NAND and then writing to the Radio area. If we can write to the Radio area we can patch the HBOOT and obtain S-OFF. This means that, as soon as we have a kernel which can issue "unlock" commands to the NAND, our exploit will just work.
However, if the Radio is acting as a "man in the middle" between NAND and aARM, meaning all memory requests muss pass through the Radio firmware, they could easily have integrated a filter that blocks requests that are affecting the protected memory areas, making our solution intractable. It basically makes our most fundamental assumption of our exploit, namely that our kernel has actual physical memory access, wrong and I'm not sure whether we will come up with a solution for this case as well, since there is basically now a higher-privileged instance below us that can control what we're doing.