AMSS, Bootloader Questions

Search This thread
By:
Advanced…
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
Someone tested short on Wave 2 (S8530)...
Thanx :good: :good:

So it seems "step 1" is not mandatory. So for S8500 1 package is enough to demonstrate RSA 1024 Check OFF in Bootloader Chain...

Same like 1 post before...

1.
Multiloader and choose ONLY Boot Change.

Expect no magic at the moment.
Its only Demonstration that Boot is now ready to modify. :D

Again.
At your own risk.

Modification to Boot is NOT without risk.

Only play if you have RIFF Box or other JTAG to reanimate...

Best Regards
 

Attachments

  • S8500XXLA1Example.rar
    1.7 MB · Views: 68
  • Like
Reactions: coties, Bilard and hero355
F

franzest15

Senior Member
Jan 7, 2013
128
6
adfree said:
Again.

Bootloader play is DANGEROUS.

Please read carefully and:
AT your OWN RISK!

Files for S8530 Wave 2... based on XXLA1 DBT Boot...

1.
See Screenshot.
ONLY Boot Change needed.

2.
Use at first this files content...
XXLA1_S8530_SecurityOFF.rar

Please unpack before. :D
You can see then folder:
BOOTSecurityOFF with 2 files...

3.
If handset start... and not explode... you could try second folder... Example from second_S8530_Example.rar


Good luck.

Now I will upload soon for S8500...

Best Regards
Click to expand...
Click to collapse

i already flash the two Boot file sir, now what will the new outcome of my wave 2? will it be faster sir? :fingers-crossed:
 
  • Like
Reactions: adfree
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
If you now enter Download Mode...

You see something else then Download mode...
And in Multiloader you see something else then LISMORE.

Thank you very much for testing. :good:

Best Regards

Edit 1.
i already flash the two Boot file sir, now what will the new outcome of my wave 2? will it be faster sir?
Click to expand...
Click to collapse

NOT faster yet. But now it is an evidence that Bootloader is not more unmodifiable.

Remember why we have Limitations and why we have to use FOTA.
Because Bootloader was STRONG secured.

Now Security is removed in Bootloader... :angel:
Not all but the RSA 1024 Check of whole boot_loader.mbn...

Best Regards
 
Last edited:
  • Like
Reactions: franzest15 and hero355
H

hero355

Senior Member
Dec 10, 2011
1,674
1,882
Baku
adfree said:
If you now enter Download Mode...

You see something else then Download mode...
And in Multiloader you see something else then LISMORE.

Thank you very much for testing. :good:

Best Regards
Click to expand...
Click to collapse

ehehe previously i flashed it kies-download mode

Now I see Download FREE :D

and ML Ready - [FREE@3!]

Nice progress :)

Good Luck and I'm here all time for testing
 
Last edited:
  • Like
Reactions: adfree
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
Now I see Download FREE

and ML Ready - [FREE@3!]
Click to expand...
Click to collapse

:D

Its simple text Edit, but it was never seen before.
I have never seen this before.

Only oleg_k was able to use custom Bootloader... with RIFF JTAG...
I don't know any details about his work...

Now we could use knowledge about Boot to do some real tweakings...

WARNING again.

Bootloader is brain of handset...

If you edit wrong or other mistakes or accidents.. then handset dead... and only JTAG Hardware can help to renimate...

Be very carefully with own experiments.

Best Regards
 
  • Like
Reactions: hero355
H

hero355

Senior Member
Dec 10, 2011
1,674
1,882
Baku
Just a little stupid question : If you breaked (removed) security in bootloader,then what we gain with this
f.e real android can be ? full ram without bada ?

:)
 
  • Like
Reactions: adfree
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
In theory we could do now more then with FOTA.

Like S8000 JET used own Bootloader...

But we need more brain... :eek:

I have not enough brain...

Experts are:
b.kubica
mijoma
Rebellos

Alphabetical order... If I have someone forgotten. Sorry.

Also new experts are welcome. :cool:

Only hint again.
You can not play with Bootloader without RIFF or other JTAG to have Backup...

Otherwise 1 wrong move and you can not use your handset anymore...

Its dangerous.

Best Regards
 
  • Like
Reactions: hero355
F

franzest15

Senior Member
Jan 7, 2013
128
6
adfree said:
Only hint again.
You can not play with Bootloader without RIFF or other JTAG to have Backup...

Otherwise 1 wrong move and you can not use your handset anymore...

Its dangerous.

Best Regards
Click to expand...
Click to collapse

yeah ur right at first i maid a mistake,. then my phone stock with bootlogo.. i re-flash it and do it again :laugh:
 
O

oleg_k

Retired Recognized Developer
Dec 19, 2005
183
620
Moscow
adfree said:
:D :cool: :victory:

Bingo.


I got it. Now I can modify boot_loader.mbn and simple flash via Multiloader.

First stupid test again... text change...

My DL Mode now display:
Download FREE
instead
Download Mode

:cool::cool::cool::cool::cool::cool:

2 f. years later...

XXJEB...

Now I will check if I can play with XXLA1 Boot...

Best Regards

P.S.:

Need user with RIFF Box to confirm working solution.

I can provide all necessary steps...
Simple ask me.

WARNING!
CMM Script seems needed and no idea if safe for enduser...

But for me it work. :p
Click to expand...
Click to collapse

If this for s8600-i'm ready for test!send manual;)
 
  • Like
Reactions: adfree
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
Code: 
/ f /   / g /   / h /   / d e v / m s 0   / d e v / m s 1   / d e v / m s 2   / f / C S C   / S y s t e m F S / I S O   / f / S y s t e m F S I S O   / h / b a d a   / S y s t e m F S / M e d i a   / f / S y s t e m F S M e d i a   / S y s t e m F S / P o w e r O n O f f   / f / S y s t e m F S [B]P o w e r O n O f f[/B]   / g   / O s p   / f / M a s s   / U s e r / M a s s   / S y s t e m F S / M e d i a S e t   / f / S y s t e m F S M e d i a S e t   / A p p E x   / h / a p p e x   b t f s   d e v f s


This is funny...
If I rename P o w e r O n O f f folder in boot_loader.mbn...
After init of Full Flash... this folder is empty... no files...
Power ONOFF Animation not played...

Will do some tests...

Best Regards

Edit 1.

Strange.
I can not find my renamed folder 1 o w e r O n O f f...
Folder in STune is empty... I can create folders, but it is removed by "Ghost" after Restart...

Maybe my fault was both text strings "Power" to edit...
 
Last edited:
P

princepsp

Senior Member
Apr 19, 2011
68
7
adfree said:
Code: 
/ f /   / g /   / h /   / d e v / m s 0   / d e v / m s 1   / d e v / m s 2   / f / C S C   / S y s t e m F S / I S O   / f / S y s t e m F S I S O   / h / b a d a   / S y s t e m F S / M e d i a   / f / S y s t e m F S M e d i a   / S y s t e m F S / P o w e r O n O f f   / f / S y s t e m F S [B]P o w e r O n O f f[/B]   / g   / O s p   / f / M a s s   / U s e r / M a s s   / S y s t e m F S / M e d i a S e t   / f / S y s t e m F S M e d i a S e t   / A p p E x   / h / a p p e x   b t f s   d e v f s


This is funny...
If I rename P o w e r O n O f f folder in boot_loader.mbn...
After init of Full Flash... this folder is empty... no files...
Power ONOFF Animation not played...

Will do some tests...

Best Regards

Edit 1.

Strange.
I can not find my renamed folder 1 o w e r O n O f f...
Folder in STune is empty... I can create folders, but it is removed by "Ghost" after Restart...

Maybe my fault was both text strings "Power" to edit...
Click to expand...
Click to collapse

Atention: Following answer is soo much noobish and stupid.

Maybe it doesnt support big letter ? like "P"ower
 
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
Code: 
/f/
/g/
/h/
/dev/ms0
/dev/ms1
/dev/ms2
/f/CSC
/SystemFS/ISO
/f/SystemFSISO
/h/bada
/SystemFS/Media
/f/SystemFSMedia
/SystemFS/PowerOnOff
/f/SystemFSPowerOnOff
/g
/Osp
/f/Mass
/User/Mass
/SystemFS/MediaSet
/f/SystemFSMediaSet
/AppEx
/h/appex
btfs
devfs

look at slash /
Click to expand...
Click to collapse

But this seems normal as other folders also without...
Looks like some kind of "convert"...

First I thought this is about hidden folders or about write protection...
:confused: :eek:

Will do some tests... :D
Maybe later more clear to me.

First try was this:
Code: 
/SystemFS/[COLOR="Red"]1[/COLOR]owerOnOff
/f/SystemFS[COLOR="Red"]1[/COLOR]owerOnOff

Now I will test:
Code: 
/SystemFS/[B]1[/B]owerOnOff
/f/SystemFSPowerOnOff

and then:
Code: 
/SystemFS/PowerOnOff
/f/SystemFS[B]1[/B]owerOnOff

Maybe then I know what it is...

Best Regards

Edit 1.

Not realized that PowerOnOff is 4 x in boot_loader.mbn...
2 x Unicode
2 x "normal text" string...
 
Last edited:
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
Back to Partition Table or reserved area for Mulltiloader...

I want find this Value for startadress from apps_compressed.bin:
0x01100000

In ELF I can find this as text... in Binary seems not or I am blind...
Text string from ELF...
Code: 
FLASH_CODE_START_ADDR 0x01100000

01100000 this I can't find as text nor Unicode...

01100000 as HEX Value I can find 6 x

Maybe XPKD6 can help me to identify correct area... here is at 01300000 OneNAND reserved...

Or if Little Endian... then I need to find correct:
Code: 
0000100100
7x
Or maybe only 4 Byte
Code: 
00001001
10x hits...

Sounds not much... I will check... :D and compare with XPKD6... maybe then more clear to me...

Best Regards

Edit 1.
Maybe near text string LISMORE...
 
Last edited:
  • Like
Reactions: Bilard and hero355
H

hero355

Senior Member
Dec 10, 2011
1,674
1,882
Baku
adfree said:
Back to Partition Table or reserved area for Mulltiloader...

I want find this Value for startadress from apps_compressed.bin:
0x01100000

In ELF I can find this as text... in Binary seems not or I am blind...
Text string from ELF...
Code: 
FLASH_CODE_START_ADDR 0x01100000
Click to expand...
Click to collapse

If you success then we can flash Korean models fw 's to S8530/S8600 ?

:highfive:
 
Last edited:
  • Like
Reactions: Bilard and adfree
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
If you success then we can flash Korean models fw 's to S8530/S8600 ?
Click to expand...
Click to collapse

This could be 1 sideeffect. To solve problems like this:
http://xdaforums.com/showthread.php?t=2088981

S8530 and M210S...

But for S8600 and M410S and M410K other mechanism...
Partition Table is easier to find...
partition.bin

But more risk... as I have no solution nore tested...
S8600 is pure Qualcomm and JTAG with S8600 is much much harder... not tested yet...

Best Regards
 
  • Like
Reactions: hero355
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
Okay, this looks not wrong...
Little Endian and it makes sense... :D

S8500 XXLA1...

HEX
00001001
Click to expand...
Click to collapse
reversed order for apps_compressed.bin

Code: 
00008019
RC1

Code: 
0000901D
RC2

Code: 
0000700B
:confused:
No idea yet...

You can see these adresses also in Multiloader...

Time for few stupid tests... :D

Best Regards

Edit 1.
These adresses seems no effect... I have 16 Byte overwritten with 00000... S8500 not explode. Normal start...

No other addresses reserved in ML

Edit 2.
FLASH_BML_BL3_2ND_START_ADDR (0x0B700000)
 

Attachments

  • partTableadresses1.png
    partTableadresses1.png
    13.1 KB · Views: 25
Last edited:
  • Like
Reactions: yer666666
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
I'm searching for boot_loader.mbn based on XXLA1 with minor differences...
perfect if addresses in Multiloader are different...

For instance Boot from chinese ZCLB4 this time 1:1 same reserved addresses...
Only Sigs and Date differ...

Will check my HDs...

Best Regards

Edit 1.
DTM BOLE1 maybe... but too many differences to compare easily... but ELFs included... seems no different adresses in ML
ERA LC2... with ELFs
INU DDLC2 with ELFs
MAX ... with ELF
TEN LG1 with ELF
THL LD1 with ELF

Edit 2.
Movistar_VM is also based on XXLA1 Boot... only date different and... GT-S8500L...
Will check M210S Firmware... if S8530 or ...
 
Last edited:
  • Like
Reactions: yer666666 and Bilard
You must log in or register to reply here.

Similar threads

M
The opening of the Wave bootloader through FOTA
Replies
415
Views
115K
R
R@j
G
[Q] Question about amss.bin
Replies
39
Views
13K
A
adfree
A
Qualcomm Tools and S8500/S8530 and now S8600
Replies
58
Views
36K
A
andro28
E
[Q] Adapt AMSS bada 1.2 to 2.0
Replies
6
Views
4K
D
djanmarsiglia
R
Questions about Multiloader
Replies
4
Views
5K
K
k8500

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 5
    M
    mijoma
    @ho1od:
    Have a look at my previous post in this thread (post#21) on how the keys are used for files signing and where are the locations of the signatures.

    Best Regards,
    mijoma
    View
    4
    A
    adfree
    :D :cool: :victory:

    Bingo.


    I got it. Now I can modify boot_loader.mbn and simple flash via Multiloader.

    First stupid test again... text change...

    My DL Mode now display:
    Download FREE
    instead
    Download Mode

    :cool::cool::cool::cool::cool::cool:

    2 f. years later...

    XXJEB...

    Now I will check if I can play with XXLA1 Boot...

    Best Regards

    P.S.:

    Need user with RIFF Box to confirm working solution.

    I can provide all necessary steps...
    Simple ask me.

    WARNING!
    CMM Script seems needed and no idea if safe for enduser...

    But for me it work. :p
    View
    4
    A
    adfree
    I've investigated JTAG dump...

    First 4 MB in 2 GByte moviNAND looks like that:


    Code: 
    000000-16BB0E		Boot	boot_loader.mbn (not encrypted)
16BB10-1BFF7F			337 KB 0000 (empty) part of Boot
1BFF80-1BFFFF		???	128 Bytes (RSA ???)
1C0000-1FFFFF			256 KB FFFF (empty)
200000-244B27		DBL	dbl.mbn
244B28-3FFFFF			1,7 MB FFFF (empty)
400000			AMSS	amss.bin


    Now I spent some time to find used boot_loader.mbn and dbl.mbn to be sure that not additional Data is written... this takes some time...

    Edit:
    In this Dump Version S8500+XX+JD9 is used. I hope I will find Firmware with Bootfiles for compare...

    Edit 2.
    S8500XXJD2.zip no Bootfiles
    S8500XXJD3.zip no Bootfiles
    S8500XXJD4.zip no Bootfiles
    S8500XXJDA.zip no Bootfiles
    S8500XXJDB.zip no Bootfiles

    I found 4-5 packages with XXJDx in name... now I will download them all. Hopefully I find Bootfiles that matches S8500+XX+JD9

    Edit 3.
    Found only XXJDx without Bootfiles... :(
    Last try for today is S8500XXJDZ.zip, but I have download problems... need more then 2 hours...
    View
    3
    M
    mijoma
    adfree said:
    Yes, interesting. Like an Log file/Flash history... if I search for tktoolver...
    This is far after 500 MB...
    I hope this is not relevant for Boot.

    Position 1BFF80-1BFFFF looks really like RSA 1024...
    I think this is the Signature... maybe. So boot_loader.mbn is signed by RSA 1024.
    Click to expand...
    Click to collapse

    Looks you're right - there's some sort of history log including encrypted signatures of the versions and their SHA-1 hashes (4 encrypted blocks per entry - two versions and two hashes) and some plaintext data including PC name and country.
    The block starts at 1E800000 with two magic numbers (A3B4C5D6 and DD620CBA) and is 128kB long, while each entry is 4kB in distance from the beginning of the previous one and 512B long.


    About the .mbn signing, the signature is located in the last 1024 bytes that are not encrypted. There are 3 different public keys hardcoded in the bootloader - development (BF1834...1F76F1), mass production and future. All of them are 512 bits long and use public exponent of 2^16+1.
    I haven't found anything (using exhaustive search on the whole memory) signed with the two latter keys (prod and future), but any of them can be used for signing. There are three things signed with the 512 bit key that bootloader recognizes as a development key (offsets within these last 1024 bytes):
    1 (at offset 4C). Version string - "Samsung:[some 4 bytes]:[version - i.e. 'S8500+XE+JF5', 'S8500+XX+JF7', ...]"
    2 (at offset 8C). SHA-1 hash of an empty buffer (DA39...0901)
    3 (at offset 1A8). Some SHA-1 hash (I don't know yet what exactly is hashed)
    The four bytes that are in the version string are not constant (magic), but are different in each version, but I haven't found what that is.
    View
    3
    O
    oleg_k
    Hi All.
    Now i playing with porting android to my s8500.
    I see that the Korean m130k very similar to our S8500(shw-m120s),
    see pics files from FCC site.
    and now I'm looking for bootloader files for m130k.
    Also, I have Riff box;)
    View

New posts