[DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!

Search This thread

theq86

Senior Member
Jan 6, 2009
930
719
37
Nuremberg
Nothing Phone 2
Ok. And will my exotic memory be a problem?

Sent from a Time Lord, using his TARDIS.

Well, we still have no discovered why those "exotic" memory layouts exist. n.h.b. thinks it is because of a wrong mapping. But we can check if it is right.
However, yes, it is a problem.

Let's say nhb is right (we can investigate this step by step, if you want)
then you'd only need to change the mapping values and if we got the right memory area you'd be ok.

If there really is an exotic variant (which would be very suspicious) then we'd probably have to get behind it first.
 
W

Wolf Pup

Guest
Ok. I think that I got it while playing with ROM 01. I bricked my phone. how would I go about fixing it? It seems like a lot of trouble, because if the others have exotic memory and try an exploit, their phone might be long gone. Perhaps it was put there by HTC. By the way, if you need help with the kernel, have you asked drowningchild?

Sent from a Time Lord, using his TARDIS.
 

no.human.being

Senior Member
Oct 29, 2011
981
987
Well, we still have no discovered why those "exotic" memory layouts exist. n.h.b. thinks it is because of a wrong mapping. But we can check if it is right.
However, yes, it is a problem.

Let's say nhb is right (we can investigate this step by step, if you want)
then you'd only need to change the mapping values and if we got the right memory area you'd be ok.

If there really is an exotic variant (which would be very suspicious) then we'd probably have to get behind it first.

@Bad-Wolf: Just do a "cat /proc/mtd" while booted into your ROM and post the output here. And tell us your RADIO and HBOOT versions please. We'll check whether the partition mapping matches anything we've seen so far.

If the partition mapping is "exotic", we could build a different set of kernel parameters for you with which you could check out the exploit again. It's currently available for downloading again here, but it could really brick (well, most likely not, since the mtdutils won't erase, but you never know :D ) when run with the "--disengage-the-safety" parameter supplied, so this not for the faint of heart.

If the partition mapping is "stock" and you provided the correct kernel parameters, but the exploit doesn't get through to "Done!" on your phone (you can also check this without the "--disengage-the-safety" parameter supplied, which will do the patching in "RAM" only and then discard it, so it's a good check whether it would work that doesn't write to NAND and as such shouldn't brick), then the only reasonable explanation is that the HBOOT has "moved" within the Radio partition for some reason. To find the correct offset for your handset, we would then need a full dump of your Radio partition to search where the HBOOT starts inside the partition. However, as the Radio contains sensitive information (IMEI, etc.) this is just some kind of a last resort.

Btw, I have taken care to "safely dispose" of the Radio dumps that some of you provided in the early development phase. Thank you very much so far.
 
Last edited:
  • Like
Reactions: theq86

theq86

Senior Member
Jan 6, 2009
930
719
37
Nuremberg
Nothing Phone 2
thanks, nhb. I was planning to investigate what's up with bad-wolf's phone. including get him a partition mapping and if it fails maybe clearing and reinstalling everything new and check again.
 
W

Wolf Pup

Guest
My phone isn't bricked anymore. Unfortunately, I can't run those commands now. supposed to be asleep, plus I got a serious pain. Can I run the cat proc mtd thing from terminal emulator?

Sent from a Time Lord, using his TARDIS.
 

no.human.being

Senior Member
Oct 29, 2011
981
987
My phone isn't bricked anymore. Unfortunately, I can't run those commands now. supposed to be asleep, plus I got a serious pain. Can I run the cat proc mtd thing from terminal emulator?

Yes you can. However, adb shell is more comfortable for copying the numbers out, especially since they usually contain a large amount of zeroes and you can't accidentally "drop" one when using copy/paste from adb. :D

EDIT: Damn, someone was faster! :D
 
W

Wolf Pup

Guest
Thank you. Never had a pain like this last this long. It's around the heart region. Gimme a sec, just need to do what nhb said.

Sent from a Time Lord, using his TARDIS.
 
W

Wolf Pup

Guest
sh-3.2$ export PATH=/data/local/bin:$PATH
sh-3.2$ cat /proc/mtd
dev: size erasesize name
mtd0: 000a0000 00020000 "misc"
mtd1: 00500000 00020000 "recovery"
mtd2: 00340000 00020000 "boot"
mtd3: 10d60000 00020000 "system"
mtd4: 02300000 00020000 "cache"
mtd5: 09600000 00020000 "userdata"
mtd6: 00a00000 00020000 "devlog"
sh-3.2$

Mtd7 seems to have disappeared. Just need to get version numbers now.

Sent from a Time Lord, using his TARDIS.
 

no.human.being

Senior Member
Oct 29, 2011
981
987
Looks like a normal RADIO-7.54.39 / HBOOT-1.09.0099 partitioning. "mtd7" is only available when booting with a custom mapping, which we didn't do here since we wanted to have "stock" mapping.

So exploit should get through (claiming "Done!") when booted into recovery with the command line for RADIO-7.54.39 / HBOOT-1.09.0099 (the lower one on this post). If it doesn't, it means your HBOOT has "wandered" inside the Radio partition for some reason.
 
Last edited:
  • Like
Reactions: theq86

theq86

Senior Member
Jan 6, 2009
930
719
37
Nuremberg
Nothing Phone 2
Looks like a normal RADIO-7.54.39 / HBOOT-1.09.0099 partitioning. "mtd7" is only available when booting with a custom mapping, which we didn't do here since we wanted to have "stock" mapping.

confirmed.

bad-wolf: try the following:
Code:
fastboot -c "mtdparts=msm_nand:0x000a0000@0x1FF60000(misc),0x00500000@0x026C0000(recovery),0x00340000@0x02BC0000(boot),0x10d60000@0x02F00000(system),0x02300000@0x13C60000(cache),0x09600000@0x16960000(userdata),0x00a00000@0x15F60000(devlog),0x00080000@0x02400000(hboot)" boot recovery.img
with recovery.img (cwm 5.0.2.8)
mount /sdcard in recovery

this would map your hboot (only hboot) to mtd7

then adb shell again,
then
Code:
cat /proc/mtd
then
Code:
dump_image hboot /sdcard/hboot.nb0


then upload.
 
Last edited:
W

Wolf Pup

Guest
Hboot

1.08.0099

Radio

7.53.39.03M

Something is wrong. I haven't applied the OTA update. Don't think I want to.

Sent from a Time Lord, using his TARDIS.
 

theq86

Senior Member
Jan 6, 2009
930
719
37
Nuremberg
Nothing Phone 2
Hboot

1.08.0099

Radio

7.53.39.03M

Something is wrong. I haven't applied the OTA update. Don't think I want to.

Sent from a Time Lord, using his TARDIS.

if you have 1.08.0099 and 7.53.39.03M but the mapping of RADIO-7.54.39 / HBOOT-1.09.0099 then it surely produced bull**** when mapping for 1.08.0099.

but what the hell? old versions but new partitioning?
 
  • Like
Reactions: no.human.being
W

Wolf Pup

Guest
Old man with plastic surgery.

You see, that's what makes it exotic. If it helps, I got the phone unbranded and new from eBay.

Sent from a Time Lord, using his TARDIS.
 
W

Wolf Pup

Guest
confirmed.

bad-wolf: try the following:
Code:
fastboot -c "mtdparts=msm_nand:0x000a0000@0x1FF60000(misc),0x00500000@0x026C0000(recovery),0x00340000@0x02BC0000(boot),0x10d60000@0x02F00000(system),0x02300000@0x13C60000(cache),0x09600000@0x16960000(userdata),0x00a00000@0x15F60000(devlog),0x00080000@0x02400000(hboot)" boot recovery.img
with recovery.img (cwm 5.0.2.8)
mount /sdcard in recovery

this would map your hboot (only hboot) to mtd7

then adb shell again,
then
Code:
cat /proc/mtd
then
Code:
dump_image hboot /sdcard/hboot.nb0


then upload.

I'll do it tomorrow. What are the possible causes of this. If it helps, I've used the old exploit that eoghan2t7 made, that only mucked up the camera. Btw, am I the only one who saw the xtc clip site was down?

Sent from a Time Lord, using his TARDIS.
 

no.human.being

Senior Member
Oct 29, 2011
981
987
but what the hell? old versions but new partitioning?

Ok new partitioning. When you supply the kernel parameters for the new Radio and run the exploit on them, does it claim "Done!"?

Do so without the "--disengage-the-safety" parameter supplied, so just "./inject /dev/mtd/mtd7", as we don't want to write to NAND (yet).

The exploit doesn't "see" the partition layout, only the kernel does. So as long as the HBOOT itself is original code of the 1.08.0099 the exploit might get through. If it does, we're probably already supporting your phone.
 

theq86

Senior Member
Jan 6, 2009
930
719
37
Nuremberg
Nothing Phone 2
I'll do it tomorrow. What are the possible causes of this. If it helps, I've used the old exploit that eoghan2t7 made, that only mucked up the camera. Btw, am I the only one who saw the xtc clip site was down?

Sent from a Time Lord, using his TARDIS.

no possible cause. it's just reading operations.

---------- Post added at 11:54 PM ---------- Previous post was at 11:52 PM ----------

So in future we will have to distinct the devices on their partitioning itself and not on the software versions. Good to know.
 
  • Like
Reactions: no.human.being
W

Wolf Pup

Guest
I'll do it 2moro. Can one of you guys round up what I should do. :confused:

Sent from a Time Lord, using his TARDIS.
 

no.human.being

Senior Member
Oct 29, 2011
981
987
So in future we will have to distinct the devices on their partitioning itself and not on the software versions. Good to know.

Might consider building a "partition helper" app that reads and parses "/proc/mtd" and does all the calculation on its own, then generates a suitable Fastboot command line. Would improve usability a lot. :D

But of course we'll get it "done" first and then "polish". :D
 

Top Liked Posts