5,597,138 Members 43,690 Now Online
XDA Developers Android and Mobile Development Forum

[DEV] FBOOT - FOTA bootloader

Tip us?
 
mijoma
Old
#1  
Recognized Developer - OP
Thanks Meter 391
Posts: 245
Join Date: Feb 2011
Location: Warsaw
Default [DEV] FBOOT - FOTA bootloader

Hello

I treat this thread as DEVELOPMENT focused, so please keep non-technical questions and all the excitement aside and use it strictly for the technical discussion.


As most of you have been able to witness, FOTA seems the right track for bypassing bada bootloader security.
During the Android porting we have found ourselves in the situation where we developed a fairly simple asm code for the purpose of loading and booting Android.
A successful attempt has some important limitations, though. One major is strict dependency from the bada bootloader level 3 (BL3) that we used to interact with the hardware for us and provide filesystem abstraction. I feel that main reason for that happening was coming directly from what was the biggest advantage in the beginning - simplicity of building crafted FOTA module from asm.
Since the time I've made the discovery of the FOTA vulnerability (as described initially here) and after I provided sample framework for building crafted FOTA file for fasmarm (see here) only b.kubica and Rebellos took over and made it into the FOTA booting Android. That approach required installing specific bootloader version in the phone and used patched I9000 secondary bootloader (SBL), as we needed it to correctly initialize the display for the kernel.
The first attempt to make it more universal was proposed, but it still only introduced additional abstraction layer for BL3 calls and was using the very same assembler framework.

I'd like to change something again and therefore, I've scratched a new framework for building FOTA. This time, it is using a proper gcc toolchain and quickly jumps a level higher in abstraction - into C/C++ code. Linker scripts provide abstraction for building the right FOTA file headers and footers for:
- S8500 running bada 1.x
- S8500 running bada 2.x
- S8530 running bada 1.x
- S8530 running bada 2.x
All four targets are built from same source files with a single 'make'. I tested all that by writing FLOCK (that still is BL3 dependent but written in C).
In my opinion, it should allow us to get into development of the modules handling hardware, filesystem, etc. by ourselves (or simply building that from external source codes handling that) resulting in full independence from version of the bootloader installed.

Now we get to the right question - do you have suggestions as for what opensource bootloader project we should integrate into FOTA? I've done a proof-of-concept integration of u-boot and it compiles flawlessly (of course, getting it to run is whole other story as there's lots of low-level initialization procedures to be rewritten). Please answer with some supporting arguments as it's not voting and would prefer a discussion and picking the right solution.
The second thing - is there anybody with the know-how and interest in this development? I'd like to share the code and support it only in some spare time, so it would be perfect if somebody took it over.

Again, please keep this thread clean - strictly technical discussion here.

Regards,
mijoma
The Following 14 Users Say Thank You to mijoma For This Useful Post: [ Click to Expand ]
 
adfree
Old
#2  
Senior Member
Thanks Meter 2326
Posts: 4,149
Join Date: Jun 2008
b.kubica has awesome demonstrate with bTerm and unsecdload.fota:
- dump NAND for Backup or study...
- bypass apps_compressed.bin Integrety check.

It would be nice, if this could be combined and/or port for S8530 too.
I wished I could dump with bTerm also in bada 2.0.

I saw only Rebellos did something with bTerm...

Also I miss Upload to...
http://forum.xda-developers.com/show....php?t=1176189



Thanx in advance.

Best Regards
 
Rebellos
Old
#3  
Senior Recognized Developer
Thanks Meter 3384
Posts: 1,334
Join Date: May 2009
Location: Gdańsk

 
DONATE TO ME
One of the logical alternatives for uBoot is Qi from OpenMoko, it is much more simple, but that brings more limitations. And I haven't seen S5PC110 support in there. So some S3C cpu driver would need to be updated.
http://wiki.openmoko.org/wiki/Qi

Also leaked Loke for Spica could be used - it has got also S3C drivers (S5P~~is only abit updated S3C arch) already done for S3C64xx, so the cpu-driver the same as above.

Writing bootloader from scratch is rather pointless and I'd anyway use uBoot for that project - there already exists fully working sources for Odroid, that is Hummingbird based. But not much more we can do than hope some dev suddenly pop out of nowhere and join the project.
Feedback on my development is highly appreciated, but first you should read this GUIDE and watch this MOVIE.

If you like my work - you can help me getting various cool stuff by clicking donation link in my profile. It's not required while pressing is, just appreciated.

Pretty owsom Android/Kernel dev tips&tricks: http://omappedia.org/wiki/Android_How-tos

Git HOW-TO by eagleeyetom: http://forum.xda-developers.com/show...php?p=31304826
15-minutes GIT introduction: http://try.github.com
If you want to submit patches to my git projects - use the guides above and make a pull request.
The Following 5 Users Say Thank You to Rebellos For This Useful Post: [ Click to Expand ]
 
mijoma
Old
#4  
Recognized Developer - OP
Thanks Meter 391
Posts: 245
Join Date: Feb 2011
Location: Warsaw
OK.
It's been a while and there has not been any activity around.
My time availability is completely not there as well. The least I can do is to upload something I had started months ago and never continued.
Maybe somebody experimenting with FOTA can use it at some point, maybe not.

In the attachment there's a project to be built using gcc toolchain (I used the one from bada SDK). It's rather simple but it already implements some of the lowest level stuff so the entry point is in C already and produces all 4 platforms (S8500 bada 1.x, S8500 bada 2.x, S8530 bada 1.x, S8530 bada 2.x) in one go.

I don't say it's an easy go from now, but you can use it however you wish and I hope it may be of some help at some point.

Best Regards,
mijoma
Attached Files
File Type: zip fboot.zip - [Click for QR Code] (13.0 KB, 384 views)
The Following 13 Users Say Thank You to mijoma For This Useful Post: [ Click to Expand ]
 
adfree
Old
#5  
Senior Member
Thanks Meter 2326
Posts: 4,149
Join Date: Jun 2008
Please.

Maybe mijoma or Rebellos could answer.

1.
Oleg_K replaced bada boot_loader.mbn in OneNAND...

If correct, how he was able to use other Boot?

I was never able to write Original Boot of my own choice with RIFF (JTAG)...

2.
As test device for Bootloader action I think S8000 Jet is perfect...
- cheap on Ebay...
- "similar" to S8500 but much less secured...

Maybe if Devs have S8000 for training...
Maybe this could little bit increase progress... about Bootloader functions... and or MODEM AMSS...

3.
It seems with CMM Script and JTAG (100% confirmed) it is possible to disable some of Bootloader Security... also few Commands (idea)... maybe...
Code:
UnlockSecBoot
PrtSecBoot
http://forum.xda-developers.com/show...4&postcount=59

Maybe with FOTA it is possible to disable complete Boot Security and then remove/replace Boot by something else...

In my case I "need" XXJB6 bada complete... So XXJB6 Boot one day on my S8500 would be nice to see...

Best Regards
 
mijoma
Old
#6  
Recognized Developer - OP
Thanks Meter 391
Posts: 245
Join Date: Feb 2011
Location: Warsaw
Quote:
Originally Posted by adfree View Post
1.
Oleg_K replaced bada boot_loader.mbn in OneNAND...

If correct, how he was able to use other Boot?

I was never able to write Original Boot of my own choice with RIFF (JTAG)...
It is possible to replace the whole bootloader chain. Rebellos looked at the options and it comes out that depending on the data in the iRAM each bootloader stage will perform or not a verification of the next bootloader stage.
The bootloader that is used by Unbrickable Mod for our processor (used by Odroid project originally) is braking the chain of trust and this is the possibility to write whatever.

Quote:
Originally Posted by adfree View Post
2.
As test device for Bootloader action I think S8000 Jet is perfect...
- cheap on Ebay...
- "similar" to S8500 but much less secured...

Maybe if Devs have S8000 for training...
Maybe this could little bit increase progress... about Bootloader functions... and or MODEM AMSS...
You should forget about S8000. It helps us in no way and there's no compatibility between the devices.

Quote:
Originally Posted by adfree View Post
3.
It seems with CMM Script and JTAG (100% confirmed) it is possible to disable some of Bootloader Security... also few Commands (idea)... maybe...
Code:
UnlockSecBoot
PrtSecBoot
http://forum.xda-developers.com/show...4&postcount=59

Maybe with FOTA it is possible to disable complete Boot Security and then remove/replace Boot by something else...

In my case I "need" XXJB6 bada complete... So XXJB6 Boot one day on my S8500 would be nice to see...
It is possible to disable security with JTAG but work will focus on the development platform that does not require JTAG. It will most probably allow using other bootloaders, but XXJB6 is nothing really special. I would rather like to see something (u-boot based possibly) being able to flash bada and android to OneNAND (not moviNAND as current) and run both without the security
Rebellos checked the partition map and it may be even possible to fit both systems into OneNAND if there wouldn't be FOTA installed.

FOTA may be used at the beginning of the process as there's no better place to start with diagnostics, modifications to memory, flashing of unsecure components and so.
The Following User Says Thank You to mijoma For This Useful Post: [ Click to Expand ]
 
adfree
Old
#7  
Senior Member
Thanks Meter 2326
Posts: 4,149
Join Date: Jun 2008
S8600XXKL1_S8600OXCKL3_TPH
S8600JVKK4_S8600XFVKK1_XFV
S8600DXLD1_S8600OLBKK6_XXV
S8600DXLD1_S8600OLBKK6_XME
S8600JVKK4_S8600OJVKK2_XFE
S8600DXKK6_S8600OLBKK6_XSP
S8600DXLD1_S8600OLBKK6_XEV
S8600DXLD1_S8600OLBKK6_XTC
S8600XXKK7_S8600OXEKL1_VHC
S8600XXLD1_S8600OXDLD2_XSK
S8600XXLD1_S8600OXDLD2_XEH
S8600XXLA1_S8600OXDLA1_VDC
S8600BOKK6_S8600TMZKK6_TMZ
S8600JPLB1_S8600OJPLB1_TMC
S8600DXLD1_S8600OLBKK6_THL
S8600XXLD1_S8600OXDLD2_XEZ
S8600JPKL1_S8600OJPKK3_AFG
S8600XXKK7_S8600OXFKL1_SEB
S8600XXLD1_S8600OXELD1_SKZ
S8600XXKK7_S8600OXEKK5_SEK
S8600XXKK7_S8600OXCKK1_PHE
S8600JPLD1_S8600OJPLB1_THR
S8600XXLD1_S8600OXELD1_MTS
S8600AELE1_S8600SFRLE1_SFR
S8600XXKK7_S8600OXFKK7_MTL
S8600JPKL1_S8600OJPKK3_PAK
S8600JPLD1_S8600OJPLB1_MWD
S8600XXLC3_S8600PRTLC4_PRT
S8600XXLA1_S8600OXBLA1_NEE
S8600JPLA1_S8600OJPKK3_MID
S8600JPKL1_S8600OJPKK3_JED
S8600JPKL1_S8600OJPKK3_KSA
S8600FRLE1_S8600LPMLE1_LPM
S8600XXLD1_S8600OXELD1_KCL
S8600XXLD1_S8600ITVLD2_ITV
S8600BVLD2_S8600FTMLD2_FTM
S8600JPKL1_S8600OJPKK3_BTC
S8600JPKL1_S8600OJPKK3_EGY
S8600JVKK4_S8600OJVKK2_AFR
S8600XWLD2_S8600OXGLD1_ATO
S8600JPKL1_S8600OJPKK3_ABS
S8600NAKL1_S8600EPLKL1_EPL
S8600XXLC3_S8600OXFLD1_COA
S8600XWLD2_S8600OXGLD1_BSE

Maybe luck and ELF files in 1 package...

Best Regards
The Following User Says Thank You to adfree For This Useful Post: [ Click to Expand ]
 
hero355
Old
(Last edited by hero355; 9th January 2013 at 07:51 PM.)
#8  
Senior Member
Thanks Meter 1656
Posts: 1,553
Join Date: Dec 2011
Location: Baku

 
DONATE TO ME
ELF can be only Operator firmwares (If it has).Because mostly it is been on operator firmwares

If I have enough space on HDD,I'll check all
The Following User Says Thank You to hero355 For This Useful Post: [ Click to Expand ]
 
_hacker_
Old
#9  
Member
Thanks Meter 59
Posts: 32
Join Date: Jan 2013
Unhappy how to flash?

hi, i dont get it how to flash android onto wave 1. And i cant find a download link Can anyone help me? I downloaded Odin but I cant do anything with it. Can anyone write a short tutorial for that? Sorry, i gave up already to find it out myself.
Thanks,
hacker
The Following User Says Thank You to _hacker_ For This Useful Post: [ Click to Expand ]
 
By_KeReMM
Old
#10  
Junior Member
Thanks Meter 0
Posts: 9
Join Date: Feb 2012
Location: Kocaeli

 
DONATE TO ME
Default Wave 525

Can you create fotabootloader for wave 525 ? is it possible?

Tags
bootloader, fota, u-boot
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes