Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,785,276 Members 38,316 Now Online
XDA Developers Android and Mobile Development Forum

[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!

Tip us?
 
theq86
Old
#1591  
theq86's Avatar
Senior Member
Thanks Meter 731
Posts: 918
Join Date: Jan 2009
Location: Nuremberg

 
DONATE TO ME
Quote:
Originally Posted by mobilescooby View Post
have checked and double checked every step 5 times. i simply cannot get this script to patch the hboot

[ LOG ] Step 1: Reading from mtd ...
[ LOG ] Step 2: HBOOT analysis ...
[ LOG ] Incorrect base signature for HBOOT-1.08.0099
[ LOG ] Incorrect base signature for HBOOT-1.09.0099

[ERROR] Failed to detect HBOOT!

HBOOT-1.08.0099
MICROP-0451
RADIO-7.53.39.03M
Nov 28 2011,19:09:21
can you please also provide us with your hboot dump?

instead of inject command type:
Code:
dump_image hboot /sdcard/hboot.img
Please Search the forums and ask your questions there. I'm no personal supporter.
HTC One (m7_ul)
The Following User Says Thank You to theq86 For This Useful Post: [ Click to Expand ]
 
no.human.being
Old
#1592  
Senior Member
Thanks Meter 1,074
Posts: 984
Join Date: Oct 2011
Ok, I've done it on my own phone.

Code:
[ LOG ] Step 1: Reading from mtd ...
[ LOG ] Step 2: HBOOT analysis ...
[ LOG ] Incorrect version string for HBOOT-1.09.0099

[ LOG ] HBOOT-1.08.0099 detected.
[ LOG ] Step 3: Patching ...
[ LOG ] Step 4: NAND unlocking ...
[DEBUG] ./mtdutils/flash_unlock /dev/mtd/mtd7
[ LOG ] Step 5: NAND erasure ...
[DEBUG] ./mtdutils/flash_erase -q -u 0 0 /dev/mtd/mtd7
[ LOG ] Step 6: Writeback ...
[ OK  ] Done!
So the exploit gets through, but the phone is still S-ON. So it's probably not the right thing to patch, but at least it doesn't seem to do any harm to HBOOT either.
 
theq86
Old
#1593  
theq86's Avatar
Senior Member
Thanks Meter 731
Posts: 918
Join Date: Jan 2009
Location: Nuremberg

 
DONATE TO ME
Quote:
Originally Posted by no.human.being View Post
Ok, I've done it on my own phone.

Code:
[ LOG ] Step 1: Reading from mtd ...
[ LOG ] Step 2: HBOOT analysis ...
[ LOG ] Incorrect version string for HBOOT-1.09.0099

[ LOG ] HBOOT-1.08.0099 detected.
[ LOG ] Step 3: Patching ...
[ LOG ] Step 4: NAND unlocking ...
[DEBUG] ./mtdutils/flash_unlock /dev/mtd/mtd7
[ LOG ] Step 5: NAND erasure ...
[DEBUG] ./mtdutils/flash_erase -q -u 0 0 /dev/mtd/mtd7
[ LOG ] Step 6: Writeback ...
[ OK  ] Done!
So the exploit gets through, but the phone is still S-ON. So it's probably not the right thing to patch, but at least it doesn't seem to do any harm to HBOOT either.
please dump and be sure hboot got patched and is no "working garbage"

I find it strange that gauravjuneja01 device still works
Please Search the forums and ask your questions there. I'm no personal supporter.
HTC One (m7_ul)
 
gauravjuneja01
Old
#1594  
Member
Thanks Meter 12
Posts: 50
Join Date: Sep 2011
Location: Kotkapura
@nhb..

Mine shows the same buddy....
Fortunately you have snapshot and i have not .....

Thnk You.....
The Following User Says Thank You to gauravjuneja01 For This Useful Post: [ Click to Expand ]
 
mobilescooby
Old
#1595  
mobilescooby's Avatar
Senior Member
Thanks Meter 6
Posts: 197
Join Date: Oct 2010
Location: Eastbourne
Quote:
Originally Posted by theq86 View Post
can you please also provide us with your hboot dump?

instead of inject command type:
Code:
dump_image hboot /sdcard/hboot.img
Here you go, hope this helps
Attached Files
File Type: zip hboot.zip - [Click for QR Code] (512.1 KB, 32 views)
 
gauravjuneja01
Old
#1596  
Member
Thanks Meter 12
Posts: 50
Join Date: Sep 2011
Location: Kotkapura
Quote:
Originally Posted by no.human.being View Post
Ok, I've done it on my own phone.

Code:
[ LOG ] Step 1: Reading from mtd ...
[ LOG ] Step 2: HBOOT analysis ...
[ LOG ] Incorrect version string for HBOOT-1.09.0099

[ LOG ] HBOOT-1.08.0099 detected.
[ LOG ] Step 3: Patching ...
[ LOG ] Step 4: NAND unlocking ...
[DEBUG] ./mtdutils/flash_unlock /dev/mtd/mtd7
[ LOG ] Step 5: NAND erasure ...
[DEBUG] ./mtdutils/flash_erase -q -u 0 0 /dev/mtd/mtd7
[ LOG ] Step 6: Writeback ...
[ OK  ] Done!
So the exploit gets through, but the phone is still S-ON. So it's probably not the right thing to patch, but at least it doesn't seem to do any harm to HBOOT either.
Now what is the status buddy????????
Will we get S-OFF???
One thing sure that our device will not be bricked.....
 
theq86
Old
#1597  
theq86's Avatar
Senior Member
Thanks Meter 731
Posts: 918
Join Date: Jan 2009
Location: Nuremberg

 
DONATE TO ME
okay, both of you guys hboots are md5: 53368ced64bc511f8cd1a0c74cdd193e

I think this "garbage" - and it obviously WORKS is the exotic variation of HBOOT.

So no wonder that the exploit did not want to patch. But their hboots are identical.
Please Search the forums and ask your questions there. I'm no personal supporter.
HTC One (m7_ul)
 
gauravjuneja01
Old
#1598  
Member
Thanks Meter 12
Posts: 50
Join Date: Sep 2011
Location: Kotkapura
Quote:
Originally Posted by theq86 View Post
okay, both of you guys hboots are md5: 53368ced64bc511f8cd1a0c74cdd193e

I think this "garbage" - and it obviously WORKS is the exotic variation of HBOOT.

So no wonder that the exploit did not want to patch.
What does it means????????????/
M sorry for bad Terminology Problem....
 
theq86
Old
#1599  
theq86's Avatar
Senior Member
Thanks Meter 731
Posts: 918
Join Date: Jan 2009
Location: Nuremberg

 
DONATE TO ME
That means you and mobilescooby both have the exact same hboot. (actually logical, because your versions are the same)

BUT:

Your versions do not "look" like a normal HBOOT in binary view mode.
Please Search the forums and ask your questions there. I'm no personal supporter.
HTC One (m7_ul)
 
no.human.being
Old
#1600  
Senior Member
Thanks Meter 1,074
Posts: 984
Join Date: Oct 2011
My HBOOT is untouched. I'd say the kernel's mtd drivers pretend to be erasing and writing when in reality they're not. When I do it to an image file (say on the SD card) instead of the device file, it gets patched exactly as I'd expect, but the mtd is not touched.

It's a kernel problem. The exploit is doing it all right, but the kernel is cheating us. So we'll need a custom kernel. Either true Linux (would be the best) or Android built from source with the "security" restrictions removed.

And no it can't be mtdutils problem as if mtdutils didn't erase but kernel did write, the phone would be dead now. Writing to NAND without erasing first leaves nothing but total garbage in the memory.

So now I'd say we're definitely stuck at a kernel level problem and that's where most of my skills end.

Tags
bootloader, campaign, dev, exploit, hboot, htc, kernel, radio, s-off, secu-flag, wildfire s
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes