FORUMS
Remove All Ads from XDA

BIOS - NAND - Whatever - Explain

18 posts
Thanks Meter: 0
 
By webdawg, Junior Member on 30th July 2012, 12:49 AM
Post Reply Email Thread
Where is the BIOS in this thing? I get that it has /boot /system and /recovery but where is the firmware that the device very first utilizes?

Does the streak even have any type of NVRAM memory?
 
 
30th July 2012, 03:06 AM |#2  
Quote:
Originally Posted by webdawg

Where is the BIOS in this thing? I get that it has /boot /system and /recovery but where is the firmware that the device very first utilizes?

Does the streak even have any type of NVRAM memory?

What are you attempting to do?
30th July 2012, 02:17 PM |#3  
OP Junior Member
Thanks Meter: 0
 
More
Understanding and Hacking
I am trying to understand the device and search for potential exploit vectors. If I take out the inner SD card what type of data does the device still have on it?

It has to have something that starts the boot from the inner SD card. Does this something insert anything into the running code on the device? Can it?

Can, if the device has the type of storage I am talking about, the device record and store even a small amount of data?

I have heard of reference to NAND backups and even seen a quote about how the NAND backup util included in the recovery utils does not backup something. The something I am referring to is not the external SD card.

Web...

Quote:
Originally Posted by Strephon Alkhalikoi

What are you attempting to do?

30th July 2012, 07:20 PM |#4  
Wiki Admin / Recognized Contributor
Thanks Meter: 1,647
 
More
Why would you need exploit vectors when the system is completely open/unprotected?

the innerSD holds the /data and /cache partitions
30th July 2012, 07:35 PM |#5  
OP Junior Member
Thanks Meter: 0
 
More
It is like I am not making myself clear enough. A computer has a BIOS which passes boot to the OS/bootloader. Would not the phone have the same thing. If you do not know this answer do not ask anymore questions.

Stop asking why I am asking.

Quote:
Originally Posted by TheManii

Why would you need exploit vectors when the system is completely open/unprotected?

the innerSD holds the /data and /cache partitions

30th July 2012, 07:47 PM |#6  
Senior Member
Flag Heredia
Thanks Meter: 1,050
 
Donate to Me
More
Quote:
Originally Posted by webdawg

It is like I am not making myself clear enough. A computer has a BIOS which passes boot to the OS/bootloader. Would not the phone have the same thing. If you do not know this answer do not ask anymore questions.

Stop asking why I am asking.

Unfortunately for you it seems you don't know what you're doing or why you're even asking about it

Sent from my GT-I9100 using Tapatalk 2
The Following User Says Thank You to cdzo72 For This Useful Post: [ View ] Gift cdzo72 Ad-Free
30th July 2012, 08:33 PM |#7  
OP Junior Member
Thanks Meter: 0
 
More
Okay Then
Quote:
Originally Posted by cdzo72

Unfortunately for you it seems you don't know what you're doing or why you're even asking about it

Sent from my GT-I9100 using Tapatalk 2

Please. Unless you have an answer please do not reply. I know exactly what I am talking about. If the device does not have any NVRAM in it that one could flash to and only internal memory via SD card then just say this.
31st July 2012, 02:05 AM |#8  
Quote:
Originally Posted by webdawg

It is like I am not making myself clear enough. A computer has a BIOS which passes boot to the OS/bootloader. Would not the phone have the same thing. If you do not know this answer do not ask anymore questions.

Stop asking why I am asking.

Manii knows far more about the Streak than you do, so if you want your questions answered, I suggest you check that attitude of yours at the door.
31st July 2012, 05:16 AM |#9  
OP Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by Strephon Alkhalikoi

Manii knows far more about the Streak than you do, so if you want your questions answered, I suggest you check that attitude of yours at the door.

Your right. Did not realize it was him, work has an affect on my attention. Sorry Manni.

I am at home now. Let me try and expain myself.

I just do not get it. All the pages I have read and the research I have done everything tells me that everything is stored on the internal SD card.

But I still have this nagging thought from this page: http://www.rdtk.net/2011/06/25/using...kmod-recovery/ that says this: the firmwares reside on the nand but in an entirely separate area. only stock recoverys can write to them under normal circumstances, you can probably read/write them manually but it’s dangerous as you can super-brick if you don’t know what you’re doing

What the hell is that guy talking about? The way I read it is that an entire subset of firmware exists on the device that only that one webpage has ever talked about. (That I have read)

I have read alot about BIOS hacks and how they function inserting code into Windows. Even legitimate code for paid services. Computrace.

I know about the Carrier IQ software. What I do not know about is the software outside the rom, recovery, boot partitions and such that exists on the Dell streak or any Android device.


I suppose my attitude comes from the ton of forum posts that I read with unanswered questions because people wanted to know why the OP is asking such a question.

I took Manii's post the wrong way because of your question Steven. Not to offend you and I understand why you ask. For example I just hate going into support channels and asking questions about an iptable rule and being told that I should relearn Linux networking because...well just because I did not understand one concept. I took it the same way here.

I apologize to all.

Web...
31st July 2012, 05:56 AM |#10  
Wiki Admin / Recognized Contributor
Thanks Meter: 1,647
 
More
MTD based nands are more complicated then eMMC nands in this aspect, as MTD nands you simply cannot read from the 'hidden' portions of the nand. eMMC ones you can.

eMMC devices you can always read from any eMMC partition, so you can likely make complete backups including your modem (though no custom recovery does this by default, it's still a bad idea)
Fortunately for us, MTD seems to be 'obsolete', every device that launched with GB installed or newer uses eMMC.

Dell Streak 5/Partition layout - XDA wiki
Dell Streak Pro/Partition layout - XDA wiki
The S5 is a MTD device, the SPro is eMMC, note how the SPro has many more partitions.

The majority of them also exist on the S5, but the only way to access them (safely) is though a stock recovery.
You can write to them with fastboot, but some of them must be unpacked by an updater in the stock recovery. Simply flash them (specific ones) and you'll super-brick that would require JTAGging at a minimum to fix.
You simply cant read the other MTD partitions without JTAGing (it might be possible with a specificly modified kernal, but you dont gain anything doing this, if at all), assuming that the hidden parts are MTD partitions even. For all we know the controller could be directly writing onto NAND pages with their locs hardcoded (which would kinda be like partitioning, but without the formal partition tables(?) )

There's also is a small amount of memory that can only be written (afaik) via JTAG.
It contains your device's ID, such as Service tag and IMEI.

On tegra devices (at least the S7 and S10) it's the WP1 and WP2 partition.
It could be possible that it's on the NAND as a MTD partition, but if it is we dont know about it. It would be insane (and illegal, as changing your IMEI is illegal in most countries) to write to it, but so there's never been an example of it. I dont know where they are on the SPro, i'd need a live device to check.

The modem OS itself is stored on the nand, the modem processor knows (or the bootloader knows) how to feed it it's OS image.

Location breakdown:
  • NAND: <everything on the partition layout above, including the below>
    • /system
    • /firstboot
    • boot.img
    • recovery.img
    • amss.mbn
    • appsboot.mbn
    • dbl.mbn
    • dsp1.mbn
    • fsbl.mbn
    • osbl.mbn
    • DT.img
  • The innerSD
    • /data
    • /cache
  • Modem storage (lock state)
  • Device unique data (IMEI and Service tag)
  • RTC (the clock)

I dont know the exact terminology or the exact order of booting on qualcomm snapdragons (it's likely to be the same with all at least in the same generation)
But it's something like:
  1. Press power button
  2. CPU powers up
  3. IPL loads <hardwired onto cpu>
  4. Check if innerSD is valid (this is streak specific, device also locks up if it fails as the loader isnt robust enough to work around it)
  5. Init modem and it's firmware <amss.mbn on older devices, non_hlos.bin on newer devices> (FYI modems are themselves complete 'system's in that they have their own ram and OS, basebands are complete OS images in most devices)
  6. Check what button combos are pressed
  7. Start booting:
    • If you pressed the recovery mode combo:
      • Load recovery SPL <dbl.mbn? + DT.img>
      • Display SPL menu:
        • Reboot
        • Load Recovery ("update from update.pkg")
          • Read from recovery.img and load it
        • Caliberate screen
    • If you pressed fastboot mode combo:
      • Load the fastboot loader <fsbl.mbn?>
    • If you pressed the download mode combo:
      • Go into download mode (for QDLtool)
  8. If you did not press any combo: begin booting normally
  9. Load dsp1.mbn
  10. Load boot.bin
  11. Linux kernal mounts and starts reading:
    1. /system
    2. /cache
    3. /firstboot
    4. /data
  12. Android boots normally
  13. Boot completes, you're at the lockscreen/home screen

I'm just making educated guesses at which *.mbn does what, as noone's really studied them to the point that they are willing to modify them.
Regardless they're signed so you cant modify them (we dont know per-se that the CPU checks the signatures on *.mbns, but I dont think any is willing to risk their device to try anyway)

The kernal images arnt signed, you can simply toss any kernal that is valid (otherwise it wouldnt boot)

When your device boots, the logo flashes 4 times:
  1. 1st logo: IPL and it's logo (possibly hardwired onto chip)
  2. 2nd logo: SPL and it's logo (stored in one of the *.mbns)
  3. 3rd logo: UBOOT and the kernal logo (stored with the kernal, sounds like a band name)
  4. 4th logo: bootimage.zip (whatever boot splash is with the installed rom
31st July 2012, 09:55 PM |#11  
OP Junior Member
Thanks Meter: 0
 
More
TheManii,

Thanks for the information. This is everything I wanted to know. If I have anymore questions I will ask later.

Web...
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes