[WIP] Unlocking NAND

maejrep · Jun 3, 2010

Breaking this discussion off from the EVO root thread, as it's a separate beast entirely..

theillustratedlife said:
(Incidentally, if they would have given us engineering SPLs in the I/O phones, it probably would have delayed the root issue on general-release phones a while longer).

True, but truth be told, there's a separate ENG SPL, which would actually fix the NAND protection by default, if it would flash. But because it's an older release than what came on the phone, it won't let you flash it (even tried with a goldcard, and no go). This version matches the stock version, which means it can be flashed back and forth with no complaints.

Can you explain NAND protection a bit further, please? Are the changes being overwritten on startup, or are they being blocked before they occur? Is NAND protection being implemented at the firmware level?

Firmware, yes (aka radio). But it's actually the bootloader (aka hboot) that sends a command to the radio to say lock it or unlock it. There's even a linux API in the "mtd" driver to allow an ioctl() call to unlock a NAND ... IF it's supported (the source code we have shows that the msm_nand_unlock() code is missing, thus it's not supported). When booting into Android, hboot says "lock NAND", and when booting to recovery, it says "unlock". When it's locked, you get a "not enough memory" error when trying to do any writes to the /system partition (even after remounting it as read-write).

The fixes are ..

1) ENG hboot. I've tried unsuccessfully to flash just the hboot.img from the engineering RUU, using our custom recovery ... it goes through the motions like it's supposed to (writes hboot.img into a section of the nand, sets a flag in the bootloader, then reboots; then the bootloader finishes the flash and reboots again back to recovery), but it doesn't take effect .. seems as if it's doing some kind of version check and it fails that version check, so it rejects the hboot.img update.

2) reverse engineer the msm_nand_unlock() API by disassembling hboot and seeing what it does to lock/unlock the NAND, then try to do the same thing from Android. In theory, that would allow it to unlock the NAND from userspace.

I haven't given up on either of these options, I just haven't had the time necessary to devote to it yet.

theillustratedlife · Jun 3, 2010

Also from that thread:

theillustratedlife said:
Could you drop the ENG hboot into a hex editor and change the version & modification dates appropriately?

maejrep · Jun 3, 2010

theillustratedlife said:
Could you drop the ENG hboot into a hex editor and change the version & modification dates appropriately?

I've gone over it in IDA for a couple hours now

It may well be that simple, but it's not just the "0.79.0000" version part, since I did try changing that and it didn't help. But it could be a different version that's read from some other byte in the image. Like I said, still investigating.. :x

Aphax · Jun 3, 2010

I just wanted to point out that a HTC Desire demo model was found to have S-OFF and had its NAND unlocked, while having the same SPL as normal locked Desires. The S-OFF was triggered by the SuperCID (1111111) I believe which is set somewhere in the radio and also in the 'misc' nand partition (but just changing the CID there had no effect).. not sure if this is helpful but I felt like mentioning it since I guess the NAND locking is similar on both devices. Also I may have gotten some details wrong here since I'm not really involved in mobile phone hackery, but would really love to have a completely unlocked phone

joeykrim · Jun 3, 2010

maejrep said:
When booting into Android, hboot says "lock NAND", and when booting to recovery, it says "unlock".

to clarify, when booting into the bootloader with the userdebug RUU PC36IMG.zip, hboot says unlock NAND and this only applies to /system and the location for hboot.img (SPL?) currently? /recovery remains locked.

you said you're able to flash the engineering hboot.img from recovery? to flash it, you're using the flash_image binary loaded by the EVO-recovery.zip?

i know this is explained above but not 100% clear on how the userdebug RUU PC36IMG.zip unlocks /system and the location for hboot.img ?

sorry if the questions are n00bish, still tryin to get up to speed and its hard w/o the actual phone!

maejrep · Jun 4, 2010

joeykrim said:
to clarify, when booting into the bootloader with the userdebug RUU PC36IMG.zip, hboot says unlock NAND and this only applies to /system and the location for hboot.img (SPL?) currently? /recovery remains locked.

The "userdebug" part of it doesn't matter: even the stock ROM has its system partition unlocked *while in recovery*. But because the stock recovery has adb disabled, there's not much we can do with it, and because the stock recovery requires HTC-signed update.zip's only, we can't flash anything with it. So whenever the bootloader (hboot) starts loading recovery, as part of that, it tells the radio to unlock the system partition. We just happen to have a userdebug RUU that gives us adb & root while in recovery, thus we can leverage the unlocked /system partition where with the stock recovery we can't.

you said you're able to flash the engineering hboot.img from recovery? to flash it, you're using the flash_image binary loaded by the EVO-recovery.zip?

I'm able to *attempt* to flash it, via an update.zip, which has has update-script that says "flash hboot with hboot.img". It is *not* the standard flash_image, because you can't flash the bootloader from something that comes after the bootloader. The bootloader doesn't live in any of the mtd partitions that are accessible from linux kernel space. Basically how it flashes firmware (that includes both hboot and radio images) is it trashes the /cache mtd partition, and shoves the hboot.img (or radio.img) data into the section of NAND that should be the cache partition. Then it reboots. The radio/bootloader sees the special magic header in the cache partition, and understands that it has to take that data and flash it over its current hboot. That step is what is currently failing (with no log or explanation why, yet). Regardless of success or failure, it will reboot back to recovery, because the last step is that recovery has to reformat the /cache partition to make it usable again.

i know this is explained above but not 100% clear on how the userdebug RUU PC36IMG.zip unlocks /system and the location for hboot.img ?

The userdebug RUU does not unlock /system. /system is unlocked automatically by the radio and bootloader any time you enter recovery: whether it is on a stock ROM or a userdebug ROM. We simply can't use that to our advantage when using the stock (locked down) recovery, because that recovery only gives us access to certain things. In that sense, it works similar to how /system used to work on older Android devices: Android used to have full access to the /system partition, but couldn't be utilized until it was unlocked by having access to something else (e.g., "root" access). Back then, once you became root, you had the keys to the kingdom: you could delete apps, add apps, reconfigure the system, flash a new recovery image, etc ... and at that point, root could never be taken away from you, because you would just have a rooted recovery image that would let you take over the next system image.

Now that /system is completely locked while not booted in recovery (and "recovery" partition isn't writable, period), having root access means less, because you can't write to /system from Android (or to recovery while in recovery). If we find a way to unlock the NAND, we'll essentially be able to regain those keys to the kingdom. Flashing an engineering SPL would just be the easiest way (once we find out how to make it accept the image), definitely not the only way.

Neotelos_com · Jun 5, 2010

Thread bump, I was sad it got buried as you can see here...
http://xdaforums.com/showthread.php?p=6705148#post6705148

timothydonohue · Jun 5, 2010

dumb question here, but if the flash hboot hboot.img isn't working, wouldn't that imply that there is something left over from the original/stock hboot.img that simply isn't being overwritten? wouldn't was isn't being overwritten be the bit telling everything else to lock up the house later? can that be determined, and either overwritten with an empty bit, or a 'leave the door open' code?

just throwing things out there, because i have no idea what i'm talking about

theillustratedlife · Jun 5, 2010

How does the Qik update work? It comes preinstalled in the system partition, but there's a Market update available for it.

It looks like there's an APK in both app folders:

Code:

#in /system/app
-rw-r--r-- root     root       815870 2010-04-28 22:51 Sprint_Qik.apk

#in /data/app
-rw-r--r-- system   system    4514646 2010-06-04 15:24 com.qikffc.android.apk

Is the new APK telling Launcher to ignore the old APK? I tried looking in com.qikffc.android.apk/AndroidManifest.xml, but it seems to be encoded in something other than text/xml.

I was hopeful that this would be a clue to defeating NAND protection from userland, but the presense of Sprint_Qik makes me think they've left /system alone and tweaked something on /data to hide the old build.

Neotelos_com · Jun 5, 2010

maejrep said:
1) ENG hboot. I've tried unsuccessfully to flash just the hboot.img from the engineering RUU, using our custom recovery...

Are you able to get just the custom recovery onto any ROM without breaking it?
Usermode root with nand access would be great, but right now I'm looking for a custom recovery mode on an official ROM at minimal.

Neotelos_com · Jun 5, 2010

theillustratedlife said:
Is the new APK telling Launcher to ignore the old APK?

Pretty much that's how it works.

Neotelos_com · Jun 6, 2010

Someone PLEASE sticky this, I personally find this very important that a solution be found!

shep211 · Jun 6, 2010

Neotelos_com said:
Someone PLEASE sticky this, I personally find this very important that a solution be found!

1+ This is a must.

bcnice20 · Jun 6, 2010

+1 as well this definitely should be #1 priority at the moment once we unlock nand where golden

Shidell · Jun 6, 2010

I also agree, this thread needs to be sticky.

Is this accurate (for the EVO? For Android devices in general?):

Code:

mtd0: 00040000 00020000 "misc"
mtd1: 00500000 00020000 "recovery"
mtd2: 00280000 00020000 "boot"
mtd3: 04380000 00020000 "system"
mtd4: 04380000 00020000 "cache"
mtd5: 04ac0000 00020000 "userdata"

I'm still working out the details of how the Android system works, but what I'm getting lost on is how current root status happens. Using toast/maejrep's method, we're pushing a custom Recovery.img--which is either flashed by the script, or flashed automatically by Android upon shut down.

(This is assuming that Android always flashes a copy of Recovery.img from the /system partition as a safeguard, ensuring upon reboot things are as expected.)

We then have full access to Boot, Recovery, and System (via Recovery). Right now we're flashing a custom Boot.img (with custom Kernel) as well as a custom System, correct? What happens to the Recovery that we're currently in after a reboot that we lose it?

I don't understand is why Recovery isn't sticking. Does the system try to re-flash Recovery.img from /System upon every reboot, and our accessible Recovery is being replaced by the default Recovery.img simply because we've overlooked it?

Additionally, assuming we have access to Recovery, we should have full access to Boot and System (as we do now), so we'd be able to flash custom Boot/Kernel, OS/ROM/System, and stick with a solid Recovery image to handle flashing in the future.

Where are we/I getting tripped up? I don't understand why Recovery isn't sticking? And if Recovery does stick, isn't that all we truly need (given the adb/ENG build) to fully unlock the EVO?

Neotelos_com · Jun 6, 2010

The Evo's system is actually #4

Neotelos_com · Jun 6, 2010

I don't know much about kitchens, etc per say but I do know about filesystems and modding.

I am right now trying to get one step further with a stock ROM that includes system changes and a custom recovery. I can't make any promises but ask for you to wish me luck!

This will be the next best thing to user-mode NAND access.

Stericson · Jun 6, 2010

Post has been stickied.

MagnusRagnarok · Jun 6, 2010

Neotelos_com said:
Someone PLEASE sticky this, I personally find this very important that a solution be found!

indeed

shep211 said:
1+ This is a must.

accent on MUST

bcnice20 said:
+1 as well this definitely should be #1 priority at the moment once we unlock nand where golden

Time to start warming up the new flashing machine and get used to not sleeping for nights at a time again...........

Neotelos_com said:
I don't know much about kitchens, etc per say but I do know about filesystems and modding.

I am right now trying to get one step further with a stock ROM that includes system changes and a custom recovery. I can't make any promises but ask for you to wish me luck!

This will be the next best thing to user-mode NAND access.

GO NANDROID SUCCES. seriously though crossies here.

Stericson said:
Post has been stickied.

Score....

joeavery2 · Jun 6, 2010

Would it be possible to bootloader unlock the same way they did with the Nexus? windows-fastboot oem unlock?

[WIP] Unlocking NAND

Senior Member

Senior Member

Senior Member

Member

Inactive Recognized Developer

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Retired Forum Moderator

Retired Recognized Developer

Senior Member

Senior Member

Senior Member

Retired Senior Mod / Retired Senior RD

Retired Recognized Developer

Senior Member

Similar threads