[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!

Search This thread
W

Wolf Pup

Guest
Well, I got Linus Torvald's number, if that helps. LOL. :D

Sent from my HTC Wildfire S A510e using XDA
 
W

Wolf Pup

Guest
I've just taken a look at the sources of the mtd driver in the kernel, but haven't actually found a lot that would be of interest to us. The actual communication with the NAND seems not to take place here. It's probably handled by an even lower level, perhaps some I/O layer that sits beneath, don't know. The kernel is simply too huge, this will turn into a search for a needle in the haystack.

Well, if there is no other way, and we have to pin it down, then we either have to look through the kernel or the radio. If we do the radio, and find secu_flag then we have a "pure" S-OFF, if we do the kernel, I suspect it will take longer and we will have a "patchwork" S-OFF. At least we will have S-OFF. But we also need to think timewise. Don't want to finish this when this phone is not sold anymore and when we are the only people left. By the way, Samsung Android phones have a "Download Mode". I've used it many times. Also, once you are in download mode, you use a GUI program called ODIN, like a RUU, it assists you in "downloading" the file to the phone and flashing it.

Sent from my HTC Wildfire S A510e using XDA
 

heavy_metal_man

Senior Member
Nov 6, 2011
2,749
752
Well, if there is no other way, and we have to pin it down, then we either have to look through the kernel or the radio. If we do the radio, and find secu_flag then we have a "pure" S-OFF, if we do the kernel, I suspect it will take longer and we will have a "patchwork" S-OFF. At least we will have S-OFF. But we also need to think timewise. Don't want to finish this when this phone is not sold anymore and when we are the only people left. By the way, Samsung Android phones have a "Download Mode". I've used it many times. Also, once you are in download mode, you use a GUI program called ODIN, like a RUU, it assists you in "downloading" the file to the phone and flashing it.

Sent from my HTC Wildfire S A510e using XDA

In order to do either we need to be able to write to the nand so both will need us to **** with the kernal in the hope it works. Nbh what would we be looking for in general? We might have some luck if get a small army of us to go hunting through it.

sent from my android powered beast!
 
  • Like
Reactions: no.human.being

alc027

Senior Member
Nov 22, 2011
217
61
Well sooner or later it will be available for almost anything. They said they will support "all devices with a newer chipset than Google Nexus One". That would even include the WFS. I think the Nexus One is still on a QSDxxxx chip. The MSM7227 of the WFS is a real powerhorse against what the Nexus One is using lol! :D

The Nexus One's QSD8250 is much more powerful than MSM7227. Both have Adreno 200 graphics and are Snapdragon S1s but QSD has a Scorpion (Cortex A8) core with 1GHz native clock, vs MSM7227s ARM11 w 600MHz native clock. I wouldn't hold my breath for official CM9 on WFS sadly.

https://developer.qualcomm.com/sites/default/files/snapdragon-specs.pdf
 
Last edited:
  • Like
Reactions: Antagonist42
W

Wolf Pup

Guest
In order to do either we need to be able to write to the nand so both will need us to **** with the kernal in the hope it works. Nbh what would we be looking for in general? We might have some luck if get a small army of us to go hunting through it.

sent from my android powered beast!

Well there could be a small army, made from only the best, and we could all have private training and mission briefing. I'll manage the weapons (2 AK-47S and 2 PP90M1, Air Support, Care Packages, UAV, and the other stuff)

Sent from my HTC Wildfire S A510e using XDA
 

no.human.being

Senior Member
Oct 29, 2011
981
987
The Nexus One's QSD8250 is much more powerful than MSM7227. Both have Adreno 200 graphics and are Snapdragon S1s but QSD has a Scorpion (Cortex A8) core with 1GHz native clock, vs MSM7227s ARM11 w 600MHz native clock. I wouldn't hold my breath for official CM9 on WFS sadly.

https://developer.qualcomm.com/sites/default/files/snapdragon-specs.pdf

Well, in fact the QSD8250 is built around a newer IP-core. However, "much more powerful" is quite a bit of an exaggeration. QSD8250 was released Q4 2008, is ARMv7 on 65 nm manufacturing process and "Adreno 200" GPU.

The MSM7227 has an older IP-core, namely the ARM1136EJS, which is an ARMv6, so the QSD8250 might have a bit more compute. Indeed, I didn't find lots of details about this SoC. Actually I didn't even find an official release date. However, you can find specification of close relatives, like the MSM7227A and MSM7230, which were released 36 / 9 months later than the QSD8250 respectively. Both feature a 45 nm (more recent) manufacturing process and either an "Adreno 200 enhanced" or "Adreno 205" GPU.

The QSD series is effectively retired and superseded by the MSM series. So yes, the design of the QSD8250's IP core is newer than that of the MSM7227, but the latter seems to be the more recent System-on-Chip. Also, the Nexus One was released on the 5th of January 2010 and shipped with Android 2.1 (Eclair), while the Wildfire S was released on the 15th of May 2011 and shipped with Android 2.3.3 (Gingerbread).

Not so sure what that means for CM9 support, since I don't know whether the MSM7227's older IP-core might be a hindrance "instruction-set wise". It certainly won't be a hindrance "performance wise" or "I/O- and peripheral-wise", so as long as CM9 will run a chip with ARMv6 instruction set I don't see any reason for not supporting the MSM7227.

Also, once you are in download mode, you use a GUI program called ODIN, like a RUU, it assists you in "downloading" the file to the phone and flashing it.

Sent from my HTC Wildfire S A510e using XDA

Yes, Odin is a leaked Samsung-internal utility. There's a clean-room implementation of it that is called Heimdall and is licensed under MIT license.
 
Last edited:
  • Like
Reactions: Antagonist42

heavy_metal_man

Senior Member
Nov 6, 2011
2,749
752
I've also had an idea, have we tried to do this to an s-off device? I know it sounds strange but it would hopefully yeild some useful information. Like if it works with no arguments then we would know that the s-on is still ****ing with us and that the kernals works. Just an idea :D

sent from my android powered beast!
 
  • Like
Reactions: no.human.being

theq86

Senior Member
Jan 6, 2009
930
719
37
Nuremberg
Nothing Phone 2
@nhb A thought just occurred to me.......if you're trying to boot a linux kernel.......why not try it via a different linux based OS on the phone......Tizen for example?????

it doesn't matter what sits "on top" of the kernel. we need do grab deeper. probably that deep, that not even a kernel would be required. we just use the kernel to bootstrap in a "familiar environment"

I've also had an idea, have we tried to do this to an s-off device? I know it sounds strange but it would hopefully yeild some useful information. Like if it works with no arguments then we would know that the s-on is still ****ing with us and that the kernals works. Just an idea :D

sent from my android powered beast!

It's not proven the exploit works as we hope to. and we know nothing of the side effects that may come up using this exploit on an s-off phone.
 

no.human.being

Senior Member
Oct 29, 2011
981
987
I've also had an idea, have we tried to do this to an s-off device? I know it sounds strange but it would hopefully yeild some useful information. Like if it works with no arguments then we would know that the s-on is still ****ing with us and that the kernals works. Just an idea :D

sent from my android powered beast!

As far as I know the Radio is protected even on an S-OFF phone. It's just that signatures are not checked by HBOOT so you can use HBOOT to flash whatever Radio you want, but I don't think you'll be able to write from within Android. At least not without the modifications to the kernel that would also enable you to write to the Radio partition on an S-ON phone.
 
  • Like
Reactions: MrTaco505

Antagonist42

Senior Member
Feb 5, 2012
682
248
52
Bolton
CM seems to me to be more to do with the 'most widely used' phones and not down to chip or Android version as vendors can add/change boot up to Android and each vendor can be different even down to mtd partition order/naming.

I've been trying to figure out what exactly the 0:MIBIB means (as I haven't found anything relevant towards what it stands for or what it does do via googling it, the closest thing I have come across is two separate acronyms, they being:

MI - Machine Instruction .... Which will be slightly obvious although would separate it from other machine code instructions for operation.

BIB - Backwards Indicator Bits ....
The Forward Indicator Bits (FIBs) and Backward Indicator Bits (BIBs) are used for retransmissions. Under normal conditions (no link errors), the FIB and BIB have the same value. As illustrated in Figure 4-9, the field length is 1 bit; therefore, only two values are possible: 0 or 1.
from this...

To me thinking about it, what if the option to edit this FIB/BIB would now be locked for greater security whereas before those Bits may have been ignored or unset?. Looking at the diagram on the linked page I can see to a certain degree the block layout of the systems partitions used on Android, seeing as we may have to delve deeper to attain S-OFF may as well find out all we can from whatever we can even if it seems odd :D

---------- Post added 3rd May 2012 at 12:01 AM ---------- Previous post was 2nd May 2012 at 11:56 PM ----------

Could the longer reboot times be down to verifying the installed hboot because maybe a pointer/signature/whatever wasn't set before it was installed whereas the original and official updates may be verified before installing therefore no check so shorter boot time?

Added this as well to the found docs
 
Last edited:

Antagonist42

Senior Member
Feb 5, 2012
682
248
52
Bolton
S-OFF - can or can't?

I don't think we will directly alter the state of S-OFF whilst the system is running, I believe it is Software Implemented either during OS Factory Install or from Vendor Update - my reason being:

Hi all,
Just for information.
Use this to ROOT my phone a couple of days ago and all work fine.

Last night stupidly there was OTA update that I installed and now I also have the 'Hellions with BLUE flames !' problem.

The update was something like 1.013.flex sorry did not write down and that is all I can remember.

Keep up the good work Doomlord

Phone: Acer E320-orange
Android version: 2.3.4
Baseband: C6-1.013.00
Kernel: 2.6.35.7
Build: Acer_E320_1.013.00_EMEA_ORGUK

I hope this helps

I will look at back rev'ing when I have time and post my results.

Found a Russian rooted rom for this device but would still like a way to root the original rom.

Now if as with this phone we had all the access open, then the S-ON came with the update as my phone was updated before I had a chance to run anything (hence my uncertainty as to gaining S-OFF on the ACER E320/C6), so my line of thinking is still that we can gain S-OFF with an update, I think trying to make the mtd drivers may be a long and arduous route to take if we don't know what we're looking for with trying to access maybe 2. 3. or 4 (Android/yaffs/ext3-4/L4 and possiblyOKL-L4) different operating file systems (that doesn't mean we shouldn't still try if needs be ;)).
 

theq86

Senior Member
Jan 6, 2009
930
719
37
Nuremberg
Nothing Phone 2
HTC OTA updates are normal flashable edify update-zip files (the ones installable by the recovery)

one difference is, that they can only be installed using a stock recovery.
second is, the zip contains another zip, called framework.zip.
That framework.zip is a renamed PG76IMG.zip - and guess - signed.

it is handed to hboot which proceeds as if it was uploaded by a ruu or manually loaded at hboot load when PG76IMG.zip is available.

the update thing is not the right way, since we really would need a tool which could sign our custom update with htc keys.
 
W

Wolf Pup

Guest
Wasn't Antagonist 42 onto something about some NAND keys? Or the HTC cryptographic keys?

Sent from my HTC Wildfire S A510e using XDA
 
W

Wolf Pup

Guest
Who got invited to the Windows 8 App Dev camp? I know I did! Just need to do some partitioning on my hard drive, finish installing Windows 8 and then I'm ready to go!

Sent from my HTC Wildfire S A510e using XDA
 
S

simonsimons34

Guest
Also invited. Ps guys, I have an idea. Can someone decompile the stock recovery. I have an idea but don't have hex arrays or anything of the such

Sent from my HTC_A510c using Tapatalk 2
 

theq86

Senior Member
Jan 6, 2009
930
719
37
Nuremberg
Nothing Phone 2
Also invited. Ps guys, I have an idea. Can someone decompile the stock recovery. I have an idea but don't have hex arrays or anything of the such

Sent from my HTC_A510c using Tapatalk 2

A recovery image is basically a concatenated file consisting of
* an android kernel image
* an initrd image
* additional metadata

the initrd is a gzipped filesystem containing a very basic gnu/linux system in where the recovery executable is.

so that means a recovery works on an android context.

There is nothing the recovery can do to enforce flashing of a file or disabling signature check. I don't believe a stock recovery will help us.
 

Top Liked Posts