{Q} aboot.c

---

Quote:

Originally Posted by Ralekdev

That's from aboot_init, decompiled version available http://pastie.org/4339731

That looks like it comes from the aboot.c source here http://pastie.org/4340093

Note: CodeAurora does not endorse anything I am doing. However, I am following the copyright instructions to the letter.

However, I don't see any of the strings from the target_fastboot_init section. ie:

Code:

	fastboot_register("continue", cmd_continue);
	fastboot_register("reboot", cmd_reboot);
	fastboot_register("reboot-bootloader", cmd_reboot_bootloader);
	fastboot_register("oem unlock", cmd_oem_unlock);
	fastboot_register("oem device-info", cmd_oem_devinfo);
	fastboot_publish("product", TARGET(BOARD));
	fastboot_publish("kernel", "lk");
	fastboot_publish("serialno", sn_buf);

Wouldn't "oem unlock" show up as a string if it were accessible?

Ta,
ALQI

EDIT: Also, what does this mean?

Code:

#define FASTBOOT_MODE   0x77665500

Quote:

Originally Posted by alquimista

That looks like it comes from the aboot.c source here http://pastie.org/4340093

Note: CodeAurora does not endorse anything I am doing. However, I am following the copyright instructions to the letter.

However, I don't see any of the strings from the target_fastboot_init section. ie:

Code:

	fastboot_register("continue", cmd_continue);
	fastboot_register("reboot", cmd_reboot);
	fastboot_register("reboot-bootloader", cmd_reboot_bootloader);
	fastboot_register("oem unlock", cmd_oem_unlock);
	fastboot_register("oem device-info", cmd_oem_devinfo);
	fastboot_publish("product", TARGET(BOARD));
	fastboot_publish("kernel", "lk");
	fastboot_publish("serialno", sn_buf);

Wouldn't "oem unlock" show up as a string if it were accessible?

Ta,
ALQI

EDIT: Also, what does this mean?

Code:

#define FASTBOOT_MODE   0x77665500

The aboot in the SGS3 is heavily based on lk, but also modified in certain areas. One of the places they changed was fastboot, where they replaced it with 2 other boot modes instead (odin and rdx). The normal fastboot stuff is mostly gone.

Setting the restart reason (at 0x2A03F65C) to FASTBOOT_MODE will make the phone boot into fastboot upon reboot even if the key combo isn't pressed. There are a few more possible values in the post from Adam earlier in the thread where he pasted the email I sent him.

Here's the older I535VRALEC bootchain that's been whispered about:
http://goo.im/devs/invisiblek/i535/V...tchain.tar.md5

This bootchain permits flashing a recovery from Odin for easier rooting. Rest of the bootloader is still locked.

Quote:

Originally Posted by LLStarks

Here's the older I535VRALEC bootchain that's been whispered about:
http://goo.im/devs/invisiblek/i535/V...tchain.tar.md5

This bootchain permits flashing a recovery from Odin for easier rooting. Rest of the bootloader is still locked.

How on earth did you get this? Is this the infamous engineering bootloader that everyone rumored about? Safe to flash and if anything be able to flash back the original?

This is the pre-release bootloader.

[ROOT] VRALEC Bootloader - Allows us to Odin a custom recovery

Quote:

Originally Posted by Ralekdev

Setting the restart reason (at 0x2A03F65C) to FASTBOOT_MODE will make the phone boot into fastboot upon reboot even if the key combo isn't pressed. There are a few more possible values in the post from Adam earlier in the thread where he pasted the email I sent him.

How would I write that restart reason into the params?

ta,
alqi

Quote:

Originally Posted by Ralekdev

Setting the restart reason (at 0x2A03F65C) to FASTBOOT_MODE will make the phone boot into fastboot upon reboot even if the key combo isn't pressed. There are a few more possible values in the post from Adam earlier in the thread where he pasted the email I sent him.

The Params block (mmcblk0p10) doesn't address that high. I pulled that address from the mmcblk0 block and the existing data doesn't seem to suggest a current reboot reason.

What part of the memory is that address referencing?

Thanks,
EnderBlue

Quote:

Originally Posted by enderblue

The Params block (mmcblk0p10) doesn't address that high. I pulled that address from the mmcblk0 block and the existing data doesn't seem to suggest a current reboot reason.

What part of the memory is that address referencing?

Thanks,
EnderBlue

That's not an offset into the mmc, but rather part of the MSM_SHARED_IMEM_BASE region of memory. To write to it aboot does *(int*)0x2A03F65C = restart_reason, but depending on the current environment you may need to do more work to write there. Check arch_reset() in arch/arm/mach-msm/restart.c in the kernel Samsung released for how they do it.

{i} Qualcomm USB Settings

---

There is a hidden UI:

Code:

com.sec.android.app.phoneutil/com.sec.android.app.phoneutil.SetPortUartUsbMSM8960

I found it and many others using Logging Checker by TevE. If I long press on that item I get this:


When I press the big "Qualcomm USB Settings" button I get this:


From what I've read, and I could be very wrong, this is how to access Qualcomm diagnostics over usb. Unfortunately, I don't know much about what to do from there. I know RNDIS stands for Remote Network Driver Interface Specification. And RMNET is Qualcomm's proprietary version of RNDIS for their phones. I assume DM means Direct Media as in DMA direct media access, but I could be wrong.

I haven't had time to have a go at talking to the device using any of the last three ports or combos of ports. Could we possibly disable Qualcomm Secure boot with this? I've seen instructions on how to do it using Jtag, but I don't have a Jtag set up. The reason I bring it up, is because as I understand it Qualcomm Secure boot checks for any changes to the bootloader. If we could disable it, then cracking the bootloader might be a bit easier.

Ta,
ALQI

EDIT: I'm working on a text list of all the hidden UI's but I haven't had time to put it all together.

Alquimista, QPST will probably not give you the ability to get around the bootloader. DM stands for diagnostic mode. You can read certain info off of the phone and write certain info to the phone with it, but it's a pain in the ass to get working. The builds floating around online are really old, and predate this phone by a long while.