Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,740,943 Members 52,853 Now Online
XDA Developers Android and Mobile Development Forum

[R&D] Unlock Bootloaders

Tip us?
 
alquimista
Old
(Last edited by alquimista; 27th July 2012 at 03:21 AM.) Reason: more questions ...
#141  
alquimista's Avatar
Senior Member
Thanks Meter 107
Posts: 195
Join Date: Mar 2008
Question {Q} aboot.c

Quote:
Originally Posted by Ralekdev View Post
That's from aboot_init, decompiled version available http://pastie.org/4339731
That looks like it comes from the aboot.c source here http://pastie.org/4340093
Note: CodeAurora does not endorse anything I am doing. However, I am following the copyright instructions to the letter.
However, I don't see any of the strings from the target_fastboot_init section. ie:
Code:
Select Code
	fastboot_register("continue", cmd_continue);
	fastboot_register("reboot", cmd_reboot);
	fastboot_register("reboot-bootloader", cmd_reboot_bootloader);
	fastboot_register("oem unlock", cmd_oem_unlock);
	fastboot_register("oem device-info", cmd_oem_devinfo);
	fastboot_publish("product", TARGET(BOARD));
	fastboot_publish("kernel", "lk");
	fastboot_publish("serialno", sn_buf);
Wouldn't "oem unlock" show up as a string if it were accessible?

Ta,
ALQI

EDIT: Also, what does this mean?
Code:
Select Code
#define FASTBOOT_MODE   0x77665500
The Following 2 Users Say Thank You to alquimista For This Useful Post: [ Click to Expand ]
 
Ralekdev
Old
#142  
Senior Recognized Developer
Thanks Meter 380
Posts: 32
Join Date: Sep 2010

 
DONATE TO ME
Quote:
Originally Posted by alquimista View Post
That looks like it comes from the aboot.c source here http://pastie.org/4340093
Note: CodeAurora does not endorse anything I am doing. However, I am following the copyright instructions to the letter.
However, I don't see any of the strings from the target_fastboot_init section. ie:
Code:
Select Code
	fastboot_register("continue", cmd_continue);
	fastboot_register("reboot", cmd_reboot);
	fastboot_register("reboot-bootloader", cmd_reboot_bootloader);
	fastboot_register("oem unlock", cmd_oem_unlock);
	fastboot_register("oem device-info", cmd_oem_devinfo);
	fastboot_publish("product", TARGET(BOARD));
	fastboot_publish("kernel", "lk");
	fastboot_publish("serialno", sn_buf);
Wouldn't "oem unlock" show up as a string if it were accessible?

Ta,
ALQI

EDIT: Also, what does this mean?
Code:
Select Code
#define FASTBOOT_MODE   0x77665500
The aboot in the SGS3 is heavily based on lk, but also modified in certain areas. One of the places they changed was fastboot, where they replaced it with 2 other boot modes instead (odin and rdx). The normal fastboot stuff is mostly gone.

Setting the restart reason (at 0x2A03F65C) to FASTBOOT_MODE will make the phone boot into fastboot upon reboot even if the key combo isn't pressed. There are a few more possible values in the post from Adam earlier in the thread where he pasted the email I sent him.
The Following 5 Users Say Thank You to Ralekdev For This Useful Post: [ Click to Expand ]
 
LLStarks
Old
#143  
Senior Member
Thanks Meter 171
Posts: 444
Join Date: Jun 2012
Here's the older I535VRALEC bootchain that's been whispered about:
http://goo.im/devs/invisiblek/i535/V...tchain.tar.md5

This bootchain permits flashing a recovery from Odin for easier rooting. Rest of the bootloader is still locked.
#verizons3 on Freenode ~ home for all d2 and step brothers
https://kiwiirc.com/client/irc.freenode.net/verizons3
The Following 4 Users Say Thank You to LLStarks For This Useful Post: [ Click to Expand ]
 
open1your1eyes0
Old
#144  
open1your1eyes0's Avatar
Senior Member
Thanks Meter 3248
Posts: 2,146
Join Date: Dec 2010
Location: New York City

 
DONATE TO ME
Quote:
Originally Posted by LLStarks View Post
Here's the older I535VRALEC bootchain that's been whispered about:
http://goo.im/devs/invisiblek/i535/V...tchain.tar.md5

This bootchain permits flashing a recovery from Odin for easier rooting. Rest of the bootloader is still locked.
How on earth did you get this? Is this the infamous engineering bootloader that everyone rumored about? Safe to flash and if anything be able to flash back the original?




The Following User Says Thank You to open1your1eyes0 For This Useful Post: [ Click to Expand ]
 
LLStarks
Old
(Last edited by LLStarks; 27th July 2012 at 05:10 AM.)
#145  
Senior Member
Thanks Meter 171
Posts: 444
Join Date: Jun 2012
This is the pre-release bootloader.

[ROOT] VRALEC Bootloader - Allows us to Odin a custom recovery
#verizons3 on Freenode ~ home for all d2 and step brothers
https://kiwiirc.com/client/irc.freenode.net/verizons3
The Following User Says Thank You to LLStarks For This Useful Post: [ Click to Expand ]
 
alquimista
Old
#146  
alquimista's Avatar
Senior Member
Thanks Meter 107
Posts: 195
Join Date: Mar 2008
Quote:
Originally Posted by Ralekdev View Post
Setting the restart reason (at 0x2A03F65C) to FASTBOOT_MODE will make the phone boot into fastboot upon reboot even if the key combo isn't pressed. There are a few more possible values in the post from Adam earlier in the thread where he pasted the email I sent him.
How would I write that restart reason into the params?

ta,
alqi
The Following User Says Thank You to alquimista For This Useful Post: [ Click to Expand ]
 
enderblue
Old
#147  
Junior Member
Thanks Meter 100
Posts: 25
Join Date: May 2010
Quote:
Originally Posted by Ralekdev View Post
Setting the restart reason (at 0x2A03F65C) to FASTBOOT_MODE will make the phone boot into fastboot upon reboot even if the key combo isn't pressed. There are a few more possible values in the post from Adam earlier in the thread where he pasted the email I sent him.
The Params block (mmcblk0p10) doesn't address that high. I pulled that address from the mmcblk0 block and the existing data doesn't seem to suggest a current reboot reason.

What part of the memory is that address referencing?

Thanks,
EnderBlue
The Following User Says Thank You to enderblue For This Useful Post: [ Click to Expand ]
 
Ralekdev
Old
#148  
Senior Recognized Developer
Thanks Meter 380
Posts: 32
Join Date: Sep 2010

 
DONATE TO ME
Quote:
Originally Posted by enderblue View Post
The Params block (mmcblk0p10) doesn't address that high. I pulled that address from the mmcblk0 block and the existing data doesn't seem to suggest a current reboot reason.

What part of the memory is that address referencing?

Thanks,
EnderBlue
That's not an offset into the mmc, but rather part of the MSM_SHARED_IMEM_BASE region of memory. To write to it aboot does *(int*)0x2A03F65C = restart_reason, but depending on the current environment you may need to do more work to write there. Check arch_reset() in arch/arm/mach-msm/restart.c in the kernel Samsung released for how they do it.
The Following User Says Thank You to Ralekdev For This Useful Post: [ Click to Expand ]
 
alquimista
Old
(Last edited by alquimista; 28th July 2012 at 03:50 AM.) Reason: NVM
#149  
alquimista's Avatar
Senior Member
Thanks Meter 107
Posts: 195
Join Date: Mar 2008
Info 2 {i} Qualcomm USB Settings

There is a hidden UI:
Code:
Select Code
com.sec.android.app.phoneutil/com.sec.android.app.phoneutil.SetPortUartUsbMSM8960
I found it and many others using Logging Checker by TevE. If I long press on that item I get this:


When I press the big "Qualcomm USB Settings" button I get this:


From what I've read, and I could be very wrong, this is how to access Qualcomm diagnostics over usb. Unfortunately, I don't know much about what to do from there. I know RNDIS stands for Remote Network Driver Interface Specification. And RMNET is Qualcomm's proprietary version of RNDIS for their phones. I assume DM means Direct Media as in DMA direct media access, but I could be wrong.

I haven't had time to have a go at talking to the device using any of the last three ports or combos of ports. Could we possibly disable Qualcomm Secure boot with this? I've seen instructions on how to do it using Jtag, but I don't have a Jtag set up. The reason I bring it up, is because as I understand it Qualcomm Secure boot checks for any changes to the bootloader. If we could disable it, then cracking the bootloader might be a bit easier.

Ta,
ALQI

EDIT: I'm working on a text list of all the hidden UI's but I haven't had time to put it all together.
The Following 9 Users Say Thank You to alquimista For This Useful Post: [ Click to Expand ]
 
chadamir
Old
#150  
Member
Thanks Meter 30
Posts: 99
Join Date: Dec 2010
Alquimista, QPST will probably not give you the ability to get around the bootloader. DM stands for diagnostic mode. You can read certain info off of the phone and write certain info to the phone with it, but it's a pain in the ass to get working. The builds floating around online are really old, and predate this phone by a long while.

The Following 2 Users Say Thank You to chadamir For This Useful Post: [ Click to Expand ]
Tags
d2vzw, locked bootloader
THREAD CLOSED
Subscribe
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes