Thread Closed

[R&D] Unlock Bootloaders

OP AdamOutler

27th July 2012, 03:18 AM   |  #141  
alquimista's Avatar
Senior Member
Flag Los Angeles
Thanks Meter: 108
 
200 posts
Join Date:Joined: Mar 2008
Donate to Me
More
Question {Q} aboot.c
Quote:
Originally Posted by Ralekdev

That's from aboot_init, decompiled version available http://pastie.org/4339731

That looks like it comes from the aboot.c source here http://pastie.org/4340093
Note: CodeAurora does not endorse anything I am doing. However, I am following the copyright instructions to the letter.
However, I don't see any of the strings from the target_fastboot_init section. ie:
Code:
	fastboot_register("continue", cmd_continue);
	fastboot_register("reboot", cmd_reboot);
	fastboot_register("reboot-bootloader", cmd_reboot_bootloader);
	fastboot_register("oem unlock", cmd_oem_unlock);
	fastboot_register("oem device-info", cmd_oem_devinfo);
	fastboot_publish("product", TARGET(BOARD));
	fastboot_publish("kernel", "lk");
	fastboot_publish("serialno", sn_buf);
Wouldn't "oem unlock" show up as a string if it were accessible?

Ta,
ALQI

EDIT: Also, what does this mean?
Code:
#define FASTBOOT_MODE   0x77665500
Last edited by alquimista; 27th July 2012 at 03:21 AM. Reason: more questions ...
The Following 2 Users Say Thank You to alquimista For This Useful Post: [ View ]
27th July 2012, 04:02 AM   |  #142  
Senior Recognized Developer
Thanks Meter: 380
 
32 posts
Join Date:Joined: Sep 2010
Donate to Me
More
Quote:
Originally Posted by alquimista

That looks like it comes from the aboot.c source here http://pastie.org/4340093

Note: CodeAurora does not endorse anything I am doing. However, I am following the copyright instructions to the letter.
However, I don't see any of the strings from the target_fastboot_init section. ie:
Code:
	fastboot_register("continue", cmd_continue);
	fastboot_register("reboot", cmd_reboot);
	fastboot_register("reboot-bootloader", cmd_reboot_bootloader);
	fastboot_register("oem unlock", cmd_oem_unlock);
	fastboot_register("oem device-info", cmd_oem_devinfo);
	fastboot_publish("product", TARGET(BOARD));
	fastboot_publish("kernel", "lk");
	fastboot_publish("serialno", sn_buf);
Wouldn't "oem unlock" show up as a string if it were accessible?

Ta,
ALQI

EDIT: Also, what does this mean?
Code:
#define FASTBOOT_MODE   0x77665500

The aboot in the SGS3 is heavily based on lk, but also modified in certain areas. One of the places they changed was fastboot, where they replaced it with 2 other boot modes instead (odin and rdx). The normal fastboot stuff is mostly gone.

Setting the restart reason (at 0x2A03F65C) to FASTBOOT_MODE will make the phone boot into fastboot upon reboot even if the key combo isn't pressed. There are a few more possible values in the post from Adam earlier in the thread where he pasted the email I sent him.
The Following 5 Users Say Thank You to Ralekdev For This Useful Post: [ View ]
27th July 2012, 04:06 AM   |  #143  
Senior Member
Thanks Meter: 173
 
457 posts
Join Date:Joined: Jun 2012
More
Here's the older I535VRALEC bootchain that's been whispered about:
http://goo.im/devs/invisiblek/i535/V...tchain.tar.md5

This bootchain permits flashing a recovery from Odin for easier rooting. Rest of the bootloader is still locked.
The Following 4 Users Say Thank You to LLStarks For This Useful Post: [ View ]
27th July 2012, 04:15 AM   |  #144  
open1your1eyes0's Avatar
Senior Member
Flag New York City
Thanks Meter: 3,342
 
2,255 posts
Join Date:Joined: Dec 2010
Donate to Me
More
Quote:
Originally Posted by LLStarks

Here's the older I535VRALEC bootchain that's been whispered about:
http://goo.im/devs/invisiblek/i535/V...tchain.tar.md5

This bootchain permits flashing a recovery from Odin for easier rooting. Rest of the bootloader is still locked.

How on earth did you get this? Is this the infamous engineering bootloader that everyone rumored about? Safe to flash and if anything be able to flash back the original?
The Following User Says Thank You to open1your1eyes0 For This Useful Post: [ View ]
27th July 2012, 04:16 AM   |  #145  
Senior Member
Thanks Meter: 173
 
457 posts
Join Date:Joined: Jun 2012
More
This is the pre-release bootloader.

[ROOT] VRALEC Bootloader - Allows us to Odin a custom recovery
Last edited by LLStarks; 27th July 2012 at 05:10 AM.
The Following User Says Thank You to LLStarks For This Useful Post: [ View ]
27th July 2012, 05:15 AM   |  #146  
alquimista's Avatar
Senior Member
Flag Los Angeles
Thanks Meter: 108
 
200 posts
Join Date:Joined: Mar 2008
Donate to Me
More
Question
Quote:
Originally Posted by Ralekdev

Setting the restart reason (at 0x2A03F65C) to FASTBOOT_MODE will make the phone boot into fastboot upon reboot even if the key combo isn't pressed. There are a few more possible values in the post from Adam earlier in the thread where he pasted the email I sent him.

How would I write that restart reason into the params?

ta,
alqi
The Following User Says Thank You to alquimista For This Useful Post: [ View ]
27th July 2012, 11:53 AM   |  #147  
Junior Member
Thanks Meter: 101
 
26 posts
Join Date:Joined: May 2010
Quote:
Originally Posted by Ralekdev

Setting the restart reason (at 0x2A03F65C) to FASTBOOT_MODE will make the phone boot into fastboot upon reboot even if the key combo isn't pressed. There are a few more possible values in the post from Adam earlier in the thread where he pasted the email I sent him.

The Params block (mmcblk0p10) doesn't address that high. I pulled that address from the mmcblk0 block and the existing data doesn't seem to suggest a current reboot reason.

What part of the memory is that address referencing?

Thanks,
EnderBlue
The Following User Says Thank You to enderblue For This Useful Post: [ View ]
28th July 2012, 02:09 AM   |  #148  
Senior Recognized Developer
Thanks Meter: 380
 
32 posts
Join Date:Joined: Sep 2010
Donate to Me
More
Quote:
Originally Posted by enderblue

The Params block (mmcblk0p10) doesn't address that high. I pulled that address from the mmcblk0 block and the existing data doesn't seem to suggest a current reboot reason.

What part of the memory is that address referencing?

Thanks,
EnderBlue

That's not an offset into the mmc, but rather part of the MSM_SHARED_IMEM_BASE region of memory. To write to it aboot does *(int*)0x2A03F65C = restart_reason, but depending on the current environment you may need to do more work to write there. Check arch_reset() in arch/arm/mach-msm/restart.c in the kernel Samsung released for how they do it.
The Following User Says Thank You to Ralekdev For This Useful Post: [ View ]
28th July 2012, 03:22 AM   |  #149  
alquimista's Avatar
Senior Member
Flag Los Angeles
Thanks Meter: 108
 
200 posts
Join Date:Joined: Mar 2008
Donate to Me
More
Info 2 {i} Qualcomm USB Settings
There is a hidden UI:
Code:
com.sec.android.app.phoneutil/com.sec.android.app.phoneutil.SetPortUartUsbMSM8960
I found it and many others using Logging Checker by TevE. If I long press on that item I get this:


When I press the big "Qualcomm USB Settings" button I get this:


From what I've read, and I could be very wrong, this is how to access Qualcomm diagnostics over usb. Unfortunately, I don't know much about what to do from there. I know RNDIS stands for Remote Network Driver Interface Specification. And RMNET is Qualcomm's proprietary version of RNDIS for their phones. I assume DM means Direct Media as in DMA direct media access, but I could be wrong.

I haven't had time to have a go at talking to the device using any of the last three ports or combos of ports. Could we possibly disable Qualcomm Secure boot with this? I've seen instructions on how to do it using Jtag, but I don't have a Jtag set up. The reason I bring it up, is because as I understand it Qualcomm Secure boot checks for any changes to the bootloader. If we could disable it, then cracking the bootloader might be a bit easier.

Ta,
ALQI

EDIT: I'm working on a text list of all the hidden UI's but I haven't had time to put it all together.
Last edited by alquimista; 28th July 2012 at 03:50 AM. Reason: NVM
The Following 9 Users Say Thank You to alquimista For This Useful Post: [ View ]
28th July 2012, 04:47 AM   |  #150  
Senior Member
Thanks Meter: 32
 
118 posts
Join Date:Joined: Dec 2010
Alquimista, QPST will probably not give you the ability to get around the bootloader. DM stands for diagnostic mode. You can read certain info off of the phone and write certain info to the phone with it, but it's a pain in the ass to get working. The builds floating around online are really old, and predate this phone by a long while.

The Following 2 Users Say Thank You to chadamir For This Useful Post: [ View ]
Thread Closed Subscribe to Thread

Tags
d2vzw, locked bootloader
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes