[R&D] Toshiba (11 series) Bootloader Unlock Discussion

Status
Not open for further replies.
Search This thread

Legitsu

Senior Member
Aug 30, 2013
1,475
518
BUT
We would still need to figure out how to get it to write a new CID (specifically what tf cmd 26 is)
OR
We can use vendor commands like Beaups (would need to find them)

its cmd27 ? its in the doc its just that most of the cells that make up the CID are Read only or write once read only
page 128
 
Last edited:

autonomousperson

Senior Member
Oct 20, 2012
221
55
L.A.
its cmd27 ? its in the doc its just that most of the cells that make up the CID are Read only or write once read only
page 128
cmd26, but do you have any idea what that means or how to do it? Because I dont. Toshiba also has secure write protection. That would prob mess with some stuff too. Secure write protection should be in the specification. Ill try looking it up.
 

Legitsu

Senior Member
Aug 30, 2013
1,475
518
cmd26, but do you have any idea what that means or how to do it? Because I dont. Toshiba also has secure write protection. That would prob mess with some stuff too. Secure write protection should be in the specification. Ill try looking it up.

cmd26 is factory programmable only according to the jdec spec
CMD26 adtc [31:0] stuff bits R1 PROGRAM_CID Programming of the Device identification register. This

command shall be issued only once. The Device

contains hardware to prevent this operation after the

first programming. Normally this command is reserved

for the manufacturer.
if I understand @beaups release correctly violation of that part of the spec was the reason it was possible to change the CID at all,according to JDEC the CID is write-once only
 
Last edited:

autonomousperson

Senior Member
Oct 20, 2012
221
55
L.A.
cmd26 is factory programmable only according to the jdec spec
CMD26 adtc [31:0] stuff bits R1 PROGRAM_CID Programming of the Device identification register. This

command shall be issued only once. The Device

contains hardware to prevent this operation after the

first programming. Normally this command is reserved

for the manufacturer.
if I understand @beaups release correctly violation of that part of the spec was the reason it was possible to change the CID at all,according to JDEC the CID is write-once only
beaups said he used cmd62 (pretty sure he means 26) and he did this with a vendor backdoor
 

FilthyFord

Senior Member
May 27, 2014
1,323
503
Cleveland Tx
Samsung Galaxy S21 Ultra
I have a GS5 with an 11 eMMC as my backup. If we make good progress here i would be half a$$ willing to use it as a guine pig. I don't know all the talk and programs u guys use but with a little guidance i might could figure it out. Although it is an AT&T branded phone. My daily driver is a GS5 T mobile branded running Pheonix.
 

GeTex

Senior Member
Aug 28, 2013
2,166
1,216
Fallon, NV
it's worth a shot

I also 0/10 do not recommend removing an eMMC with a lighter and thermocouple

So i can't Dump it via my riff box? I should be able to force it but again needs vendor commands to do so i assume, which one of us needs to figure out

</3 My Uncle works for Toshiba but only in sales, maybe I can get a engineer or someone through him?
 

autonomousperson

Senior Member
Oct 20, 2012
221
55
L.A.
it's worth a shot

I also 0/10 do not recommend removing an eMMC with a lighter and thermocouple

So i can't Dump it via my riff box? I should be able to force it but again needs vendor commands to do so i assume, which one of us needs to figure out

</3 My Uncle works for Toshiba but only in sales, maybe I can get a engineer or someone through him?
Im sure he cant just release the firmware and vendor codes without getting in trouble can he? I did send an email just for the heck of it asking for a firmware dump (like thats going to happen). And hey the BGA came off!
 

autonomousperson

Senior Member
Oct 20, 2012
221
55
L.A.
Also im not 100% sure about jtag but I know that eMMC's normally cant be jtaged, it would have to be through the cpu which very likely has jtag points somewhere. Ive never done any of this jtag stuff. Did some google searches but couldnt come up with anything 100%.
 

Legitsu

Senior Member
Aug 30, 2013
1,475
518
Also im not 100% sure about jtag but I know that eMMC's normally cant be jtaged, it would have to be through the cpu which very likely has jtag points somewhere. Ive never done any of this jtag stuff. Did some google searches but couldnt come up with anything 100%.

did you seriously take a lighter to your logic board ?
 

autonomousperson

Senior Member
Oct 20, 2012
221
55
L.A.
Also I know we can somehow mount these chips as sd cards and working with them from there but that would involve taking them off the board and thats a nono.
 

Legitsu

Senior Member
Aug 30, 2013
1,475
518
Also I know we can somehow mount these chips as sd cards and working with them from there but that would involve taking them off the board and thats a nono.

you can remove them with the right tools
you need a decent hot air rework station and lots of flux
its not really hard putting them back on ... now thats the *****
 

autonomousperson

Senior Member
Oct 20, 2012
221
55
L.A.
you can remove them with the right tools
you need a decent hot air rework station and lots of flux
its not really hard putting them back on ... now thats the *****
Yeah ik they are easy to take off and hard to put back on. We would still need to know how to read stuff off of it. To me it seems the ONLY way to do this with a toshiba chip is the vendor code or the CMD## things. Either way involves getting the binary and knowing the arguments.
 

Legitsu

Senior Member
Aug 30, 2013
1,475
518
Yeah ik they are easy to take off and hard to put back on. We would still need to know how to read stuff off of it. To me it seems the ONLY way to do this with a toshiba chip is the vendor code or the CMD## things. Either way involves getting the binary and knowing the arguments.

just need a scope and a steady hand
the big thing is to make sure you pull it strait up and out when removing so you don't smear the bga and leave your self a shot and reworking it on their
 
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 12
    Because the the other old Dev thread is getting a bit messy i've created a new thread to continue development of a boot loader unlock for 11 series devices.
    Dont post ANYTHING unrelated to development of a way to change toshiba chip's cid!!!
    @GeTex says she may be able to get us the firmware / vendor cmds which would be awesome!

    ===================================JULY 30 UPDATE==================================
    Trying to reprogram CID abandoned, looking at alternate methods of unlocking b/l (or getting a custom kernel past QSB/Knox) @GeTex working on writing to memory using the Futex(towelroot) exploit to load some kernel modules.

    Relevant links:
    http://blog.nativeflow.com/the-futex-vulnerability
    http://blog.nativeflow.com/escalating-futex
    http://blog.nativeflow.com/pwning-the-kernel-root

    ====================================Original post====================================
    So far we know what Beaups did to get the 15 series chip exploit.
    1) Get vendor cmds (we know its cmd26 to reprogram the cid but do not know the args for toshiba chips)
    2) Dump eMMC firmware
    3) Look through code for how it is programmed
    4) Create a tool to use this info and reprogram the CID

    We need to
    1) Find the args for the command
    2) dump toshiba emmc controler's firmware
    3) Find how to program CID
    4) Modify Beaups tool

    Alternatively, If we know what the controller is and the pin map we could manually dump the firmware with existing SD card tools (Wouldn't count on it)

    Not sure where you can find it but if you can dump the chip's firmware then we dont need the first step

    Relevant docs:
    https://drive.google.com/open?id=0BxoK4ISYhlfbbW02TzJ0VlhoV0E
    https://drive.google.com/open?id=0BxoK4ISYhlfbdDZvbGxxV2F3OUU
    https://github.com/beaups/SamsungCID (read samdunk disclosure)
    http://toshiba.semicon-storage.com/us/product/memory/nand-flash/mlc-nand/emmc.html (Our chip is the THGBMHG7C1LBAIL I believe)
    11
    We have some code regarding 11 EMMC's right now, but it's not public for now
    8
    Info, I'm meeting with an Engineer come round May, will keep you posted!
    7
    Things have been extremely busy for me.
    Work is hectic at this time of year but in a few weeks things should get back to normal.
    This has proven a little more difficult than I initially thought it would be but I still believe it to be possible.

    My question is though, would it be used?
    Would our time spent on this be wasted?

    I don't know but I plan to complete it. Hopefully somebody other than myself and @Hariiiii will jump in.
    There are a lot of people watching this thread with high hopes. Most haven't said anything BC we have nothing useful to contribute, but in light of your question, the answer is yes, many people would use and be appreciative of your work. Thanks and good luck!
    7
    I think Getex accidentally took you for someone else. A lot of people post random junk in this thread so I think it's become a bit of a reflex. You are absolutely right that I deserve no credit for this. The credit for what we have so far goes to you and Surge. I felt bad to bother him with this but I really don't have a copy of IDA and he was literally the first person I could think of who did. I am more than happy to do whatever it takes to contribute to this, but there are some things that I can't do with what I have. Frankly all I need is the address and the rest I think I can put together myself. We'll see if he had any luck. Let's make this clear right now though: this was your idea and your project. Any and all credit goes to your work in figuring this out and debugging it. I'm just another guy who is trying to help.
    Thanks. I apologize for the rant.
    Those same random junk posts you speak of have frustrated me.
    I am excited to see where this will lead and I sincerely appreciate your interest.
    I started decompressing the zimage last night to load into ida.
    The last one I did had grip compression. The s5 has lzo compression so working on that.
    I have done everything properly but it still doesn't want to decompress.
    But I have everything ready all we need is the address as I have a script from the previous work thanks to surge for getting me started on it and I have a kernel module that I compiled last night we can test.
    I have done all of this before on the s4 so not gonna be too terribly bad.
    The hard part as I said will be debugging the kexec softboot.
    Also for the uart setup I don't know if you have it or not but I will share a link that has helped me when I get home this evening.
    I just need to sit down and actually order the parts.
    I've been working on kexec hardboot so I could port multirom which I've gotten everything ready for.
    I've compiled the multirom recovery and multirom binary so we can get the startup to show trampoline on bootup.
    I know kexec hardboot doesn't do locked bl users any good but it's a step in the right direction for kexec as a whole.

    I've read plenty and implemented a good portion of kexec and am willing to help with whatever I can