FORUMS

T-Mobile Galaxy S6 Battery Woes

I’ve been using a T-Mobile Galaxy S6 since the device launched with T-mobile’s … more

Earthquake Early Warning in Your Pocket

Probably all of us reading this have a smartphone in our pocket. For many of us, the … more

Sony: The OEM You Want To Save

In our recent Discuss article, we asked you readers on which OEM you would like to help. While the … more

How to Lock and Protect Your Apps – XDA Xposed Tuesday

The smartphone revolution has passed. Everybody has mobile apps. Some of … more

[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!

924 posts
Thanks Meter: 499
 
By *se-nsei., Senior Member on 3rd December 2011, 10:19 PM
Post Reply Subscribe to Thread Email Thread
5th March 2012, 03:31 AM |#1591  
theq86's Avatar
Senior Member
Flag Nuremberg
Thanks Meter: 739
 
Donate to Me
More
Quote:
Originally Posted by mobilescooby

have checked and double checked every step 5 times. i simply cannot get this script to patch the hboot

[ LOG ] Step 1: Reading from mtd ...
[ LOG ] Step 2: HBOOT analysis ...
[ LOG ] Incorrect base signature for HBOOT-1.08.0099
[ LOG ] Incorrect base signature for HBOOT-1.09.0099

[ERROR] Failed to detect HBOOT!

HBOOT-1.08.0099
MICROP-0451
RADIO-7.53.39.03M
Nov 28 2011,19:09:21

can you please also provide us with your hboot dump?

instead of inject command type:
Code:
dump_image hboot /sdcard/hboot.img
The Following User Says Thank You to theq86 For This Useful Post: [ View ]
 
 
5th March 2012, 03:34 AM |#1592  
Senior Member
Thanks Meter: 1,075
 
More
Ok, I've done it on my own phone.

Code:
[ LOG ] Step 1: Reading from mtd ...
[ LOG ] Step 2: HBOOT analysis ...
[ LOG ] Incorrect version string for HBOOT-1.09.0099

[ LOG ] HBOOT-1.08.0099 detected.
[ LOG ] Step 3: Patching ...
[ LOG ] Step 4: NAND unlocking ...
[DEBUG] ./mtdutils/flash_unlock /dev/mtd/mtd7
[ LOG ] Step 5: NAND erasure ...
[DEBUG] ./mtdutils/flash_erase -q -u 0 0 /dev/mtd/mtd7
[ LOG ] Step 6: Writeback ...
[ OK  ] Done!
So the exploit gets through, but the phone is still S-ON. So it's probably not the right thing to patch, but at least it doesn't seem to do any harm to HBOOT either.
5th March 2012, 03:36 AM |#1593  
theq86's Avatar
Senior Member
Flag Nuremberg
Thanks Meter: 739
 
Donate to Me
More
Quote:
Originally Posted by no.human.being

Ok, I've done it on my own phone.

Code:
[ LOG ] Step 1: Reading from mtd ...
[ LOG ] Step 2: HBOOT analysis ...
[ LOG ] Incorrect version string for HBOOT-1.09.0099

[ LOG ] HBOOT-1.08.0099 detected.
[ LOG ] Step 3: Patching ...
[ LOG ] Step 4: NAND unlocking ...
[DEBUG] ./mtdutils/flash_unlock /dev/mtd/mtd7
[ LOG ] Step 5: NAND erasure ...
[DEBUG] ./mtdutils/flash_erase -q -u 0 0 /dev/mtd/mtd7
[ LOG ] Step 6: Writeback ...
[ OK  ] Done!
So the exploit gets through, but the phone is still S-ON. So it's probably not the right thing to patch, but at least it doesn't seem to do any harm to HBOOT either.

please dump and be sure hboot got patched and is no "working garbage"

I find it strange that gauravjuneja01 device still works
5th March 2012, 03:40 AM |#1594  
Member
Flag Kotkapura
Thanks Meter: 12
 
More
@nhb..

Mine shows the same buddy....
Fortunately you have snapshot and i have not .....

Thnk You.....
The Following User Says Thank You to gauravjuneja01 For This Useful Post: [ View ]
5th March 2012, 03:41 AM |#1595  
mobilescooby's Avatar
Senior Member
Flag Eastbourne
Thanks Meter: 6
 
More
Quote:
Originally Posted by theq86

can you please also provide us with your hboot dump?

instead of inject command type:

Code:
dump_image hboot /sdcard/hboot.img

Here you go, hope this helps
Attached Files
File Type: zip hboot.zip - [Click for QR Code] (512.1 KB, 34 views)
5th March 2012, 03:44 AM |#1596  
Member
Flag Kotkapura
Thanks Meter: 12
 
More
Quote:
Originally Posted by no.human.being

Ok, I've done it on my own phone.

Code:
[ LOG ] Step 1: Reading from mtd ...
[ LOG ] Step 2: HBOOT analysis ...
[ LOG ] Incorrect version string for HBOOT-1.09.0099

[ LOG ] HBOOT-1.08.0099 detected.
[ LOG ] Step 3: Patching ...
[ LOG ] Step 4: NAND unlocking ...
[DEBUG] ./mtdutils/flash_unlock /dev/mtd/mtd7
[ LOG ] Step 5: NAND erasure ...
[DEBUG] ./mtdutils/flash_erase -q -u 0 0 /dev/mtd/mtd7
[ LOG ] Step 6: Writeback ...
[ OK  ] Done!
So the exploit gets through, but the phone is still S-ON. So it's probably not the right thing to patch, but at least it doesn't seem to do any harm to HBOOT either.

Now what is the status buddy????????
Will we get S-OFF???
One thing sure that our device will not be bricked.....
5th March 2012, 03:44 AM |#1597  
theq86's Avatar
Senior Member
Flag Nuremberg
Thanks Meter: 739
 
Donate to Me
More
okay, both of you guys hboots are md5: 53368ced64bc511f8cd1a0c74cdd193e

I think this "garbage" - and it obviously WORKS is the exotic variation of HBOOT.

So no wonder that the exploit did not want to patch. But their hboots are identical.
5th March 2012, 03:46 AM |#1598  
Member
Flag Kotkapura
Thanks Meter: 12
 
More
Quote:
Originally Posted by theq86

okay, both of you guys hboots are md5: 53368ced64bc511f8cd1a0c74cdd193e

I think this "garbage" - and it obviously WORKS is the exotic variation of HBOOT.

So no wonder that the exploit did not want to patch.

What does it means????????????/
M sorry for bad Terminology Problem....
5th March 2012, 03:48 AM |#1599  
theq86's Avatar
Senior Member
Flag Nuremberg
Thanks Meter: 739
 
Donate to Me
More
That means you and mobilescooby both have the exact same hboot. (actually logical, because your versions are the same)

BUT:

Your versions do not "look" like a normal HBOOT in binary view mode.
5th March 2012, 03:49 AM |#1600  
Senior Member
Thanks Meter: 1,075
 
More
My HBOOT is untouched. I'd say the kernel's mtd drivers pretend to be erasing and writing when in reality they're not. When I do it to an image file (say on the SD card) instead of the device file, it gets patched exactly as I'd expect, but the mtd is not touched.

It's a kernel problem. The exploit is doing it all right, but the kernel is cheating us. So we'll need a custom kernel. Either true Linux (would be the best) or Android built from source with the "security" restrictions removed.

And no it can't be mtdutils problem as if mtdutils didn't erase but kernel did write, the phone would be dead now. Writing to NAND without erasing first leaves nothing but total garbage in the memory.

So now I'd say we're definitely stuck at a kernel level problem and that's where most of my skills end.
Post Reply Subscribe to Thread

Tags
bootloader, campaign, dev, exploit, hboot, htc, kernel, radio, s-off, secu-flag, wildfire s
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes