Thread Closed

Bootloader Cracking : Devs only

OP HunteronX

9th May 2010, 07:40 PM   |  #1  
OP Senior Member
Thanks Meter: 29
 
660 posts
Join Date:Joined: Oct 2008
More
NEW - March 2011

A method of booting custom kernels (using kexec) has been developed. Thanks Bin4ry, zdzihu, MrHassell, blagus, and all other devs who are working hard to make this stable.

The bootloader protection has been bypassed!

Quote:
Originally Posted by zdzihu

Bootloader is broken/bypassed!
Big bad huge font to avoid confusion =)


@Goroh_kun:

Buddy, I know you're still reading this forums so... I just want you to know that you are absolutely BRILLIANT. You're a STAR.

BIG thanks for all your contributions into this project! Nothing, and I mean NOTHING would happen without you.



@devs:





@SE: lads, it's your turn now - please unlock it already. I promise we won't brick our phones

@all: DON'T ask for details. I will post here when I'm ready to do so. Today (I guess?) is the Arc release date and stuff, I don't want to mess around...


Still busy working abroad,

Cheers,
z

Link to 2.1 alpha kernel (2.6.29)

http://forum.xda-developers.com/show...&postcount=848



OLD

Important info!

http://forum.xda-developers.com/show...&postcount=811

Link to FlashTool

http://forum.xda-developers.com/showthread.php?t=920746

Here are some posts:

Quote:
Originally Posted by MrHassell

Yes and yes - while rebooting and as zdzihu previously reported kexec is viable.

http://forum.xda-developers.com/show...&postcount=407

zdzihu

override partition table using kernel command line. Tried (via kexec) and it worked.

Code:
mtdparts=msm_nand:0x00440000@0x3fbc0000(appslog),0x06f40000@0x38c80000(cache),0x160a0000@0x05ae0000(system),0x1d100000@0x1bb80000(userdata),0x0001FFFF@0x00000000(loader)
Bin4ry - tawrite - http://forum.xda-developers.com/show...&postcount=442

cat /proc/mtd

mtd0 cache
mtd1 appslog
mtd2 userdata
mtd3 system

My final post on the subject. Have better things to do now the media have landed au reviour.

Bin4ry's kexec kit posts

http://forum.xda-developers.com/show...&postcount=708 - V1
http://forum.xda-developers.com/show...&postcount=711 - V2
http://forum.xda-developers.com/show...&postcount=724 - V3

MrHassell's V3 test log

http://forum.xda-developers.com/show...&postcount=729

21st March 2011, onwards

Quote:
Originally Posted by Bin4ry

Can you try to run it on chargemon script instead of xRec?
So that we can run it at the very beginning of boot process. Maybe this is a solution!
This should work in the chargemon script:
exec /data/local/tmp/run.sh

WARNING!
JUST TRY THIS IF YOU KNOW WHAT YOU ARE DOING !

Regards

Quote:
Originally Posted by Androxyde

chargemon the safer way :

Just before recovery if then else :

if [ -e /data/local/tmp/kexec ]
then
rm -r /data/local/tmp/kexec
exec /data/local/tmp/run.sh
fi

so from the OS, touch /data/local/tmp/kexec the reboot and it will boot the kexec script and remove the kexec file so that the next boot or reboot will go fine

Quote:
Originally Posted by Bin4ry

So, 2 users with bb58 had booted fine then WLOD.
Seems the initial idea is working
Now fix the problems and all is good ?

Regards

DooMLoRD's test

http://forum.xda-developers.com/show...&postcount=750

Bin4ry's edited chargemon file

http://forum.xda-developers.com/show...&postcount=753

Comment from DooMLoRD - actually about the above file.

Quote:
Originally Posted by DooMLoRD

just an additional comment...

the following chargemon will work only for recovery flashed through Flashtool v0.2.8 for stock roms only
also please do not try that chargemon on CM7RC2 roms (u wont be able to get into the OS cause recovery on CM7RC2 is shifted to /system/recovery/
also the line chroot / /init will work for 2.3 roms but is not compatible with 2.2 roms... for 2.2 roms u need /system/bin/chroot / /init

x10b's test

Quote:
Originally Posted by x10b

boot.img installed >> boots normal got my radio, wifi , everything works fine...

FW : 2.1.1.A.0.16
BB : 2.1.58

test ok......

x10b's test video

http://forum.xda-developers.com/show...&postcount=798

DooMLoRD's edited (universal) chargemon file

http://forum.xda-developers.com/show...&postcount=762

Important for 'non-devs' - also look at DooMLoRD's post ahead

Quote:
Originally Posted by wolfilein

@all
you shouldn't flash the file with xrecovery!
you should extract it to
/data/local/tmp/
on you phone
and replace the /system/bin/chargemon with the one bin4ry has posted some posts ago
after that make it executable
with
chmod 755 /system/bin/chargemon
then create the file /data/local/tmp/kexec
with
touch /data/local/tmp/kexec

and then reboot you phone should load the new kernel


DooMLoRD's post in reply to above:


http://forum.xda-developers.com/show...&postcount=766

Quote:
Originally Posted by jerpelea

cm7 boots with custom kernel

More testing:

Quote:
Originally Posted by DooMLoRD

test with Stock SE ROM FW: 2.1.A.0.435 | BB: 2.1.54

booted into OS but no radio, strange question mark symbol on top of battery symbol (in notification bar)... phone rebooted in few seconds couldnt get into "About Phone"... though no LED notifications of any sort... even have made a video of boot up process [it look good on handset ] will post it here in a while

EDIT:
on second attempt tried to get to "About Phone" asap... under "Kernel Version" it was "unknown"... and then the system immediately rebooted...

keep up the great work Bin4ry and all other devs...

DooMLoRD's bootup video
http://forum.xda-developers.com/show...&postcount=775

Quote:
Originally Posted by Androxyde

I am on stock firmware A.0.16

I modded my chargemon to implement booting cust kernels from it and a gscript script shortcut on the desktop to reboot.

I tried these :

Reboot custom kernel with stock BB .58 : booted / no radio / reboot in less than 1 minute

Reboot custom kernel with BB 55 : same as with .58

Reboot custom kernel with BB 52 : booted / no radio / no reboot
Reboot stock rom with BB 52 : no radio

So with my last try I cannot conclude anything about the "no radio"

Will keep you informed with my further tests

More tests from DooMLoRD

http://forum.xda-developers.com/show...&postcount=784

http://forum.xda-developers.com/show...&postcount=789

http://forum.xda-developers.com/show...&postcount=812

Bin4ry's kernel patches, config and build script from zdzihu:

http://forum.xda-developers.com/show...&postcount=781

Bin4ry's kernel based on SE .435 kernel sources

http://forum.xda-developers.com/show...&postcount=786

Aeny's tests

Quote:
Originally Posted by Aeny

x10i | J's CM7 RC2 V10a | BaseBand 2.0.46 | boot.img: 22.03.11-00_25
-Same behavior as BB 2.0.52
-(Stock kernel + this BaseBand = WLOD reboot loop.)

x10i | J's CM7 RC2 V10a | BaseBand 2.0.49 | boot.img: 22.03.11-00_25
-Same behavior as BaseBand 2.0.52


x10i | J's CM7 RC2 V10a | BaseBand 2.0.52 | boot.img: 22.03.11-00_25
-Screen not waking up by pressing any buttons, to wake up press any button, then press the screen. If "Screen-on" and/or "Screen-off" animations are enabled in CM-Settings then screen cannot be woken up at all.
-Battery shows a percentage, but does not indicate charging, however the battery level is going up.
-Time seems to update once every few (10~11) minutes instead of every minute & always starts counting from 1/1/1970 -1h:00m at boot.
-WiFi shows "error" under settings but does magically work, just can't be turned off.
-Bluetooth doesn't want to turn on.
-Baseband: "Unknown".
-Kernel Version: 2.6.29Bin4ry "SEMCUser@SEMCHost #1".
-no reboots (running 15minutes).
-screen doesn't auto-turn off but dims instead.
-Battery status shows as "unknown" under settings -> about phone -> status.
-No USB.
-LED doesn't light up while charging.

x10i | J's CM7 RC2 V10a | BaseBand 2.1.54 | boot.img: 22.03.11-00_25
-Freezes after 2~5seconds(can't see if WLOD because LED doesn't work).
-(Stock kernel + this BaseBand = WLOD reboot loop.)

x10a | J's CM7 RC2 V10a | BB 2.1.54 | boot.img: 22.03.11-00_25
-Freezes after 2~5seconds->reboot(can't see if WLOD because LED doesn't work).
-(Stock kernel + this BaseBand = WLOD reboot loop.)

Quote:
Originally Posted by Aeny

x10i | Build: 2.1.A.435 | BaseBand: 2.1.54 | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry SEMCUser@SEMCHost #1

x10i | Build: 2.1.A.435 | BaseBand: 2.1.58 | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry SEMCUser@SEMCHost #1

x10i | Build: 2.1.A.435 | BaseBand: 2.1.54(a) | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry SEMCUser@SEMCHost #1

x10i | Build: 2.1.A.435 | BaseBand: 2.1.55(a) | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry SEMCUser@SEMCHost #1



Back to CM7 for me, SE's rom felt like playing a game @ 2FPS.
~Aeny

Ahmed radi's tests

Quote:
Originally Posted by Ahmed radi

boot.img: 22.03.11-00_25 / FW: SE 2.1 / BB 2.1.54

its work great !

boot normaly then radio work and WiFi also work !

boot.img: 22.03.11-00_25 / FW: SE 2.1 / BB 2.0.52

freeze on SE logo fo about 5~9 sec | no radio (insert SIM) | Wifi work


@ Bin4ry

good look bro

Quote:
Originally Posted by Ahmed radi

@ DooMLoRD

good now we have conferm that bin4ry kernel work with .54
i try also 52 but there is no radio !
i reflash the phone with 54 BB but also get no signal !
any idea about this ?

@bin4ry

could we convert the .img to .sin ?

Quote:
Originally Posted by Bin4ry

No, sin is the signature header. For that we need the signing key and we don't have it!

Regards

Quote:
Originally Posted by Ahmed radi

good lack Bin4ry !

test report :

X10 2.1 .435
BB54

run gr8 ,with Xda then reboot in se rom with radia and i test wifi and its work also!

edit :

BB58 also just like above !

>after we have sacsesfully loud Bin4ry kernel , could we have muiltitouch(not just dual) ? thanx

More info from Bin4ry

http://forum.xda-developers.com/show...&postcount=795

shyvue's test

Quote:
Originally Posted by shvyue

I'm new to this but what i did is, copy all files from bootkit to /data/local/tmp
adb shell
$ su
# chmod 06755 run.sh
# ./run.shls

Phone shows fast-usb reboot, then a cute dog at top-left, then xda-developer with brown background.

SE stock image:
2.1.A.435

x10i-2.1.58 white led after xda-developer image then reboot with SE logo, etc
x10i-2.1.54 white led after xda-developer image then reboot with SE logo, etc

mpasanthosh's test

http://forum.xda-developers.com/show...&postcount=816





Starting from 14th January 2011

Quote:
Originally Posted by blagus

Hi to all developers!
I haven't read whole thread, but I'm sure bootloader hasn't been cracked yet.
I spoke to a source who know really a lot about SE phones. He has been investigating X10 a lot and I got some info from him. He might be able to give me some further info but only if you are willing to read and try to accept my post and not just tell me "Xperia is different SE phone".
Believe me, he knows a lot about how X10 boots/works, and what's happening inside it (software part). He's been investigating phones since DB2020, and knows something about phones even before that.

As first, when I told him about "bootloader" he wasn't 100% sure what is that.
Most correct structure of X10 boot process and all "parts" involved is:
first, "real" ROM, which is actually one time programmable and can't be ever reprogrammed, is started.
In EROM, there's signature which is checked by ROM at beginning of boot - if signature is OK, ROM proceeds with running EROM and leaves it to continue boot process.
That is: checking signatures of everything that it runs directly, and then launches it if signatures are OK.
He also said that ROM is very incorrect name for phone's firmware - because ROM is actually thing that I mentioned above. Of course, you don't have to rename all ROMs to FW now, however it would be good if at least here in development thread correct names are used because that would help you, me in understanding what you're talking about - because I have knowledge from A1/A2 series and now he proved me that I was right about what I was saying - and him in understanding and possibly some further small tips.
He said that the thing that launches actual firmware - Android, is S1Boot, and it actually is in some structural way connected with A1's EROM and A2's SEMCBOOT.
(That is the thing I've been trying to say some time ago however no one was listening to me, nor wanted to check it - everyone was just saying "No, this phone is different from other SE phones.)
That then means that getting developer (more understandable - "brown") loader.sin - which actually contains S1Boot, or as you probably call it, bootloader - won't help you because in that S1Boot, there are flags that define if brown image will be accepted or not.

Also, in ROM there is root certificate (Qualcomm), "first in the chain" he said, not Red - retail, or Brown - developer one. S1Boot is also signed with that root certificate, and even existing S1Boot in our Xperias contain both Red and Brown certificates (unlike on A1/A2, where there is either red which accepts just red flashes, or brown which accepts them all), and only thing that differs is flags which tells EROM/S1Boot should it accept brown flash or not.
Note: Do not mix root certificate that is S1Boot signed with, and Red/Brown located inside it!

You can easily check this by opening existing, "usual" available for download here loader.sin in Notepad and you'll first find few certificates - S1_loader_root, S1_EROM_root, etc. and after that S1_loader_test, S1_EROM_test, etc. - same names, but instead of root it says test - this proves that there are both red and brown certificates.

He also said that
"brown sin-s can be self-produced... usually the brown RSA keys are available".
That means that if we put brown RSA key before header of pre-patched loader.img, we would get brown signed loader.sin, and we would just have to find a way to change flag to make the phone accept that brown image.
About pre-patching: yes, S1Boot has to be patched in order to accept unsigned flashes - whether it's just changing those flags, or rewriting it - however in that case still original root certificate must stay inside because it's checked by ROM.

And last thing is that he said that "SE used to disable Jtag on retail phones".
I remember that someone here mentioned Jtag but I don't know what was the result.

To receive further help/tips from him, following questions must be answered:

Question 1: To what exactly do you refer when speaking about bootloader? Now when I explained about S1Boot, can we actually say that bootloader = S1Boot (similar to) > A1's EROM (similar to) > A2's SEMCBOOT?

Question 2: What's contained in boot.img, if S1Boot is inside loader.img/loader.sin?

Best regards

25th January 2011

Quote:
Originally Posted by Bin4ry

Anyone wants to try my modded kexec-tool? I hope i have found a solution, but don't know yet, because my netbook still compiles the kernel ..... (for another 20 hours :P )

Regards
Bin4ry

Quote:
Originally Posted by Bin4ry

Since Maxrfon didn't answered my last mail again (he's very busy now) i had spare time and worked on this little tool once more =)

I hope we can boot another kernel with kexec-tool now.
for that we need a zImage and a initrd + some bootparameters for the kernel (root partition)

So if anyone want to try i would be lucky. My compilation was broken and now i have to start again :'(
So i anyone here wants help to try i would be lucky =)

Regards

26th January 2011

Quote:
Originally Posted by Bin4ry

Yes a initrd is needed, because i have not found the initrd location in virtual memory now, so i cannot point to it from kexec

Code:
kexec -l /zImage --apend="root........" --file="/initrd"
kexec -e -f
also you should appen the root partition.
It would be nice if someone could upload a zImage, i'm still stuck in compiling it *LoL* ****ing netbook is compiling 15 hours and then it aborts with some errors ^^

Regards

Quote:
Originally Posted by blagus

Put kexec in /system, chmod 777
Put ramdisk_orig.tgz and zImage to / and chmod 777

Code:
# kexec-tool -l /zImage --append="/" --initrd="/ramdisk_orig.tgz"
# kexec-tool -fe
After reboot zImage and initrd dissapear from /
Maybe if I put them in /system... I'll try that and let you know result.

Quote:
Originally Posted by Bin4ry

@Shamux thanks for the kernel.

@blagus:
You have to append the root partition to kernel parameters, else it will not detect it!
It's just like you want to boot a normal kernel on pc

Try adding --append="root=/dev/blablabla rw"
check which one is root partition (don't know now) and then check again if it works.
What we really neew is some kmsg log or smth.
Also Z mentioned to compile the kernel with semc-es209ra-capk config.
A minimal config will be a better way to start because something is breaking up we cannot find it.
But if we can boot minimal kernel, we can try to add more and more step by step and find the problem =)




Regards

Quote:
Originally Posted by blagus

Hmm... then, a little bit of experimenting is required...

I've got new info regarding bootloader cracking, from my source again
In theory it's very simple and you probably know that already: we calculate prime numbers that public key is made from - one key is enough, second can be calculated with
key 1st prime formula. But, you already know that.

Now, how to get these keys? Probably you know that too but let me repeat:
with OpenSSL we can get certificates from loader.sin. For example, this is interesting part of S1_loader_root (root certificate):

Code:
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ea:a5:f7:7d:bd:67:21:33:04:00:ea:91:b0:c6:
                    cd:38:6c:aa:da:60:c1:77:e2:24:67:be:b7:da:4f:
                    e6:e5:92:fd:5b:b4:1a:97:54:cb:2f:7d:b1:63:e3:
                    d4:43:b9:a6:91:70:36:9f:5f:3a:7a:0e:2c:a7:44:
                    3b:40:84:0f:40:79:4a:b7:e8:58:d7:47:15:29:79:
                    07:b7:65:7b:d3:6d:40:10:29:78:c5:8f:51:b0:6e:
                    38:a9:97:1c:ff:1e:e5:bc:0d:22:1c:08:22:db:ad:
                    40:6f:2f:28:8a:8f:5c:38:d3:2a:96:72:48:66:28:
                    07:80:11:f1:62:f9:d3:40:a7
                Exponent: 65537 (0x10001)
Modulus here is public key.
Just give this modulus to the CPUs and GPUs and let them calculate primes.
With these primes, calculation of private key should be trivial.

Update: this key is what we need to crack, that's it. Then, we can even make our own certificate - just like now there are, for example, s1_loader (Red, retail) and s1_loader_test (Brown, developer), we can make our own s1_loader_xda... and then, if it's issuer is S1_Loader_Root_f851 (like it is in root certificate attached here), and it is present in all parts of loader.sin (signature, signature of loader payload data) then phone will accept it.

Yes, that's right: this "Modulus" number above is the one that we need to crack in order to modify bootloader.

Update: if there's something confusing in this certificate, it's probably the fact that it's issuer and subject are same: yes, it's self-signed. But unfortunately, it won't work if we make our self-signed certificate

Quote:
Originally Posted by arkedk

Don't know if this is any help or useful info for any of the devs.

But managed to check the code in the lib_s1_verification.so file
Here's the boot sequence.

These files is what I know has something to do with the s1:
/lib/lib_s1_verification.so
/bin/linker
/bin/s1_verification_test

I don't know what I'm looking at here, but just wanted to see if I could make some kind of contribution to get the bootloader opened up.

Also attached the dedexed files from within semc_bootinfoif.jar if those are useful to anyone.

Assuming this is the Booting Sequence:

Last edited by HunteronX; 4th April 2011 at 03:58 PM. Reason: The bootloader protection has been bypassed, using kexec!
9th May 2010, 09:47 PM   |  #2  
OP Senior Member
Thanks Meter: 29
 
660 posts
Join Date:Joined: Oct 2008
More
I tried typing in 'adb root enable' and this appeared (see attachment).

If we can get a developer rom somehow, we could enable root.

If unclear, it says that 'adbd cannot run as root in production builds'.

I think that Sony Ericsson's adb drivers are causing this. If we could hack into the official android one, we could maybe unlock some adb commands (adb shell doesn't even allow any command to work!)
Attached Thumbnails
Click image for larger version

Name:	Untitled.jpg
Views:	7683
Size:	20.4 KB
ID:	323868  
Last edited by HunteronX; 9th May 2010 at 09:54 PM. Reason: Making info clearer
9th May 2010, 10:10 PM   |  #3  
Bin4ry's Avatar
Recognized Developer
Flag Schwelm (NRW)
Thanks Meter: 5,742
 
1,832 posts
Join Date:Joined: Nov 2008
Donate to Me
More
Very good idea to start a new thread. Please someone of the moderators delete all future comments that are not related to root!

I finally compiled the tardis program but it doesn't work
Here my original post :
-----
This didn't work on X10. But possibly someone will try it on other devices.

Usage: ./tardis <BIG FILE>
Big file should be ~ 100mb
------


-Bin4ry
Attached Files
File Type: zip tardis.zip - [Click for QR Code] (17.9 KB, 151 views)
Last edited by Bin4ry; 9th May 2010 at 10:12 PM.
9th May 2010, 10:31 PM   |  #4  
biktor_gj's Avatar
Senior Member
Thanks Meter: 235
 
665 posts
Join Date:Joined: Jan 2008
Gathered Information about the kernel and mount points so far:

Kernel Version: Linux version 2.6.29-rel (semc-android@SEMC) (gcc version 4.2.1) #2 PREEMPT Wed Mar 10 16:53:36 JST 2010

(notice it's been compiled on march 10 so it might have been patched until february)

Internal flash partitions:
/dev/block/mtdblock2 /system yaffs2 ro 0 0
/dev/block/mtdblock3 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock1 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block/loop0 /cdrom iso9660 ro 0 0

4Mb ramdisk: tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0

Inside the software update package, there are a lot of files:

update.xml -> update template, it says not to erase amss_fs.sin, maybe that's why it's empty...
preset.ta ->
Inside there's this:
Code:
// preset.ta has same format as TA file generated by FXTool

// Specification document: 69/159 35-LXE 108 116 Uen, Rev PA3

// Format:

// [TAPartition<HEX8>]{1}

// [UnitID<HEX32> UnitSize<HEX16> Data<HEX8>{UnitSize}]{n}

// (c) Sony Ericsson Mobile Communications AB, 2009

02

000008FD 0010 00 00 08 00 05 00 00 00 0E 00 00 00 08 00 00 00

00000961 0004 FE FF FF FF
amss_fs.sin -> no idea...but it seems empty as the cache 639 byte
apps_log.sin -> template for wiping mtdblock0 partition? (639 byte)
cache.sin -> template for wiping cache partition (like data partition, 639 byte)
fota0.sin -> ?
fota1.sin -> ?
boot.sin -> our beloved boot.img? (5.4 mbytes)
recovery.sin -> it looks like we have a recovery mode after all (not just safe mode)
dsp1.sin -> dsp firmware?
amss.sin -> Radio firmware?
metadata.dat -> 536 bytes, I guess it will be package metadata
simlock.ta -> 1,3 kb
system_S1-SW-LIVE....sin -> 195Mb, system partition
userdata_S1-SW-LIVE....sin -> 4,8kb, template for wiping data partition, maybe it has some file in there... haven't checked yet.

Things I tried so far:
m7 exploit. It seems fixed on this kernel (that or it might need some tinkering to the code)
exit_notify() local root exploit. suid_dumpable is 0 on /proc, so useless
h00ly**** exploit. Bin4ry tried this, but it seems it didn't work either.

Good thing: Sony Ericsson update service is programmed in java, and lollylost100 has already managed to make the program dump update images decrypted, so we might have a chance with that.

Also, bootloader starts if you take out the battery, plug usb and then turn it back in. It goes on for 10 seconds, after that, it times out and reboots to normal. So maybe if we don't mess with the bootloader we can restore it no matter what happens to the rest of the flash (don't trust this much)

About the mtd partitions, there are only four visible to Android, but there have to be more.
Radio partition, recovery partition (if it flashes it will be somewhere, unless its just a kernel+ramdisk that boots when in 'safe mode'), bootloader and such. Where are they hidden?

I have a copy of the running configuration for the kernel from .16 version, if anybody wants, I can put it somewhere.
If you wan't to retrieve it from your phone just do:

cat /proc/config.gz > /sdcard/config.gz

from adb/local terminal.

@HunteronX: that error it gives you is because you need a dev firmware, or being able to do a 'su', to get root access, it's not a driver problem. If you do "adb shell" you get a terminal with user id 2000 (shell), but no way of getting id 0 (root) with official firmware (unless hacking).By the way, that post you pasted from me is very outdated and there's not much useful information so you can remove it from the first post Thanks for starting a new thread, hopefully we'll manage to keep it clean!

Regards, Biktor
Last edited by biktor_gj; 9th May 2010 at 11:01 PM.
9th May 2010, 11:23 PM   |  #5  
Senior Member
Thanks Meter: 1
 
256 posts
Join Date:Joined: Apr 2010
Quote:
Originally Posted by biktor_gj

update.xml -> update template, it says not to erase amss_fs.sin, maybe that's why it's empty...

Code:
<?xml version="1.0" encoding="utf-8" ?>
<UPDATE>
  <NOERASE>amss_fs.sin</NOERASE>
</UPDATE>
10th May 2010, 08:18 AM   |  #6  
Senior Member
Thanks Meter: 4
 
160 posts
Join Date:Joined: Sep 2009
More
Quote:
Originally Posted by HunteronX

I tried typing in 'adb root enable' and this appeared (see attachment).

If we can get a developer rom somehow, we could enable root.

If unclear, it says that 'adbd cannot run as root in production builds'.

I think that Sony Ericsson's adb drivers are causing this. If we could hack into the official android one, we could maybe unlock some adb commands (adb shell doesn't even allow any command to work!)

This information is Wrong.
ADB is not allowed to run as root on Any production builds, not only Sony Ericsson.

Also all "normal" ADB commands work.

My Contribution: The only Directory where you can put native executables is /data
10th May 2010, 08:42 AM   |  #7  
Member
Thanks Meter: 0
 
39 posts
Join Date:Joined: Dec 2006
Quote:
Originally Posted by sim-value

This information is Wrong.
ADB is not allowed to run as root on Any production builds, not only Sony Ericsson.

Also all "normal" ADB commands work.

My Contribution: The only Directory where you can put native executables is /data

confirmed, all production build android we couldn't enable root. that is too easy.
we do can write and excute in /data. It use to be an exploit moving data form
/data to /system but now that hole is close, thoe move request get kill on the way.

Still no sign of recovery or bootloader access. ADB reboot won't help as you will get the normal bootup screen.
SEUS flash mode can be turn on and detect USB SEMC Flash Device in Linux and Mac OS, but after 20 - 30 second
it will shut it self and reboot in normal mode. there might be some trigger here.
Last edited by funfobia; 10th May 2010 at 08:47 AM.
10th May 2010, 04:47 PM   |  #8  
OP Senior Member
Thanks Meter: 29
 
660 posts
Join Date:Joined: Oct 2008
More
Quote:
Originally Posted by funfobia

confirmed, all production build android we couldn't enable root. that is too easy.
we do can write and excute in /data. It use to be an exploit moving data form
/data to /system but now that hole is close, thoe move request get kill on the way.

Still no sign of recovery or bootloader access. ADB reboot won't help as you will get the normal bootup screen.
SEUS flash mode can be turn on and detect USB SEMC Flash Device in Linux and Mac OS, but after 20 - 30 second
it will shut it self and reboot in normal mode. there might be some trigger here.

Ok, thanks for telling me that - looks like i've got a lot to learn...

@biktor_gj I've hopefully now removed all the information you wanted.
10th May 2010, 04:48 PM   |  #9  
biktor_gj's Avatar
Senior Member
Thanks Meter: 235
 
665 posts
Join Date:Joined: Jan 2008
/data is not the only place where you can run binaries, you can also execute them from /sqlite_stmt_journal ramdisk. The only issue is after rebooting the phone files will disappear, but /data has the nosuid flag enabled on the mount command, but that flag doesn't exist on the sqlite tmpfs.

Regards
10th May 2010, 09:00 PM   |  #10  
Junior Member
Flag Berlin
Thanks Meter: 0
 
16 posts
Join Date:Joined: Apr 2008
More
I just sniffed yesterday the packets when SEUS is connecting to the Sonyerricsson Serve.

What I found out is that SEUS is requesting following IP: 195.95.193.10

If you enter this in your browser it returns following:
ma3.extranet.sonyericsson.com

There you can download a software called EMMA. Someone knows what's that for a software?

Thread Closed Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes