I'm going on vacation Thursday until Sunday so I'll dive in Sunday night. I'm surprised I missed the manual as I had a one x for a month, lol.
Sent from my Galaxy Nexus using Tapatalk 2
Sent from my Galaxy Nexus using Tapatalk 2
BOOT_CONFIG_1 | BOOT_CONFIG_0 |
0 | 0 | EMER. BOOT(SDC3 FOLLOWED BY USB HS)
0 | 1 | SDC3 FOLLOWED BY SDC1
1 | 0 | SDC3 FOLLOWED BY SDC2
1 | 1 | SDC1 (eMMC, DEFAULT)
BOOT_CONFIG_6
0 | Secure Boot
1 | Fast Boot
There are 2 more documents floating around.
I think they have what we need in the boot department.
[SIZE=2]-------------------------------------------------------------------------------
pad gpio name connection boot Rxxx
-------------------------------------------------------------------------------
AH32 119 BOOT_FROM_ROM ANT_SW_SEL0
AH33 118 BOOT_CONFIG_0 ANT_SW_SEL1 * R745
AM31 117 BOOT_CONFIG_1 ANT_SW_SEL2 * R746
AM30 116 BOOT_CONFIG_2 ANT_SW_SEL3
AN30 115 BOOT_CONFIG_3 BC0_SW_SEL0
AM29 114 BOOT_CONFIG_4 BC0_SW_SEL1
AN29 113 BOOT_CONFIG_5 BC1_SW_SEL0
[COLOR=Red]AK28 112 BOOT_CONFIG_6 ANT_SW_SEL4 * R747[/COLOR]
C30 - RESOUT_N MSM_RESOUT_N
-------------------------------------------------------------------------------
* ANT_SW_SEL[1,2,4] == BOOT_CONFIG_[0,1,6] are kept high through
R = [R745, R746, R747] via Q700 when MSM_RESOUT_N in high (???).
-------------------------------------------------------------------------------
R 2007-008516 R-CHIP;10Kohm,5%,1/20W,TP,0603 ERJ1GEJ103C
Q700 0505-002341 FET-SILICON;Si1013X-T1-GE3,P,-20V,-400mA SI1013X-T1-GE3
UCP700 1205-004465 <Snapdragon S4 Plus> MSM8960
UCP700UP 1105-002388 <16 GB DRAM> K3PE0E000A-XGC2
-------------------------------------------------------------------------------
[/SIZE]
[SIZE=2]------------------------------------------------------------------
[B]c1[/B][/SIZE] [SIZE=2] [B]c0[/B] function
------------------------------------------------------------------
0 0 Emergency Boot from SDC3 (SD) followed by USB-HS
0 1 SDC3 followed by SDC1 (eMMC)
1 0 SDC3 followed by SDC2 (not used?)
1 1 SDC1 (eMMC)
------------------------------------------------------------------
[B]c6[/B][/SIZE] [SIZE=2] 0 - Secure Boot
1 - Fast Boot
------------------------------------------------------------------[/SIZE]
Here is the MSM8960 BGA pin map showing the BOOT_CONFIG_x pads.
* ANT_SW_SEL[1,2,4] == BOOT_CONFIG_[0,1,6] are kept high through
R = [R745, R746, R747] via Q700 when MSM_RESOUT_N in high (???).
There's two things to keep in mind here...If the gate and source are connected as somewhat appears, it is called a diode connected mosfet and is excellent at modifying current however that would not be very useful because it would just be off all the time. I think the gate and source are separate but a simple multiplier test can confirm. The _N means active low so when MSM_RESOUT_N is pulled low the three lines are pulled high through a 10k. As I stated earlier though qualcomm has BOOT_CONFIG_6 internally pulled low so it is odd they pull it high through a resistor instead on directly to VDD. This tell me it is a very weak pull-down internally.
I will reiterate that the internal fuse for secure boot is blown since the schematic indicates we should boot in fast boot but we do not. However if the schematic is to be believed perhaps the gate is tied to the source meaning that all three pins are floating (except for BOOT_CONFIG_6 which is pulled down internally). This would produce secure boot even though the qfuse may not be blown! this also produces 00 for the boot mode which is emergency which is not what is happening so maybe those fuses are blown internally as well.
By the way I had some of this info a few posts back but i guess you didn't catch it
Has this been confirmed?... As I stated earlier though qualcomm has BOOT_CONFIG_6 internally pulled low so it is odd they pull it high through a resistor instead on directly to VDD. This tell me it is a very weak pull-down internally.
I saw your post, and that's why I wrote what I did. But how can I edit my post #212 so not to mislead anyone? (I admit to be a bit rusty on the EE details.)I will reiterate that the internal fuse for secure boot is blown since the schematic indicates we should boot in fast boot but we do not. However if the schematic is to be believed perhaps the gate is tied to the source meaning that all three pins are floating (except for BOOT_CONFIG_6 which is pulled down internally). This would produce secure boot even though the qfuse may not be blown! this also produces 00 for the boot mode which is emergency which is not what is happening so maybe those fuses are blown internally as well.
There's two things to keep in mind here...
1. Samsung has always used resistors between any voltage or ground source and the processor.
2. The new generation of devices which Samsung is putting out encorperate a sort of UnBrickable Mod(ish) design. You insert an SDCard, then short a resistor from one side to the other which causes the device to boot from SDCard. The device is not a dual-boot development board as in UnBrickable Mod, but it is a temporary hardware method of altering the boot mode.
You are basing your information on the fuse being blown based on shematics. I've proven Samsung schematics wrong several times in the past. We will verify that. Also, these boot modes are important because we want to come up with a bootloader recovery.
Has anyone found the memory location of the BOOT_CONFIG register set? Testing should be real easy if someone can find that memory address.
su -c dd if=/sdcard/Downloads/aboot.img of=/dev/block/mmcblk0p5
RPM loading is successful.
cancel RPM loading!
SBL2, End
SBL2, Delta
.sbl2_hw.c
sbl2_hw_init, Start
sbl2_hw_init, Delta
sbl2_hw_init_secondary, Start
h/w version : %d
sbl2_hw_init_secondary, Delta
.SBL2, Start
scatterload_region & ram_init, Start
.scatterload_region & ram_init, Delta
.sbl2_mc.c
sbl2_retrieve_shared_info_from_sbl1, Start
.sbl2_retrieve_shared_info_from_sbl1, Delta
adam@adam-Desktop:~/Desktop/VZWGS3$ cat ./bootimg.cfg
bootsize = 0xa00000
pagesize = 0x800
kerneladdr = 0x80208000
ramdiskaddr = 0x81500000
secondaddr = 0x81100000
tagsaddr = 0x80200100
name =
cmdline = console=null androidboot.hardware=qcom user_debug=31
[1630] AST_POWERON
[ 0.000000] heap->name mm, mb->start c0000000
[ 0.000000] Reserving memory at address ea000000 size: 100000
[ 0.000000] sec_dbg_setup: str=@0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_size = 0x40000
[ 0.000000] etb_buf_setup: str=@0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_size = 0x4000
[ 0.174515] rdev_init_debugfs: Error-Bad Function Input
[ 0.174881] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[ 0.176957] sec_debug_init: enable=0
[ 0.177475] ec_debug_nit: restrt_reason: 0xdf0085c
[ .216358] msm8960_iit_cam:292]settingdone!!
[ 0.25006] i2c 2c-14: Inalid 7-bi I2C addrss 0x00
0.25237] i2c ic-14: Can' create evice at x00
[ 0.252220]i2c i2c-1: Failed o registeri2c clien cmc624 t 0x38 (-6)
[ .252250] 2c i2c-19:Can't crete deviceat 0x38
0.25433] rdevinit_debufs: Error-ad Functin Input
0.25222] max892 19-006: DVS mode disabledbecause VD0 and VI1 do not ave prope control.
[ 0.79536] ms_etm msm_tm: ETM tacing is ot enable beacaussec_debug s not enaled!
[ 0.284449 smd_chanel_probe_orker: alocation tble not iitialized
[ 0.38766] pm_untime: fil to wak up
[ 0.362032]hdmi_msm dmi_msm.1 externalcommon_stte_create sysfs grup de39e68
[ 0362673] Iside writback_drivr_init
[ 0.36275] Insidewritebackprobe
[ 1.244803] TZCOM: unable to get bus clk
[ 1.431680] cm36651_setup_reg: initial proximity value = 3
[ 1.549671] msm_otg msm_otg: request irq succeed for otg_power
[ 1.566702] mms_ts 3-0048: [TSP] ISC Ver [0xbb] [0x20] [0x20]
[ 1.571341] mms_ts 3-0048: [TSP] fw is latest. Do not update.
[ 1.583488] [__s5c73m3_probe:3818] S5C73M3 probe
[ 1.587089] [s5c73m3_sensor_probe_cb:3793] Entered
[ 1.591942] [s5c73m3_i2c_probe:3675] Entered
[ 1.596123] [s5c73m3_init_client:3381] Entered
[ 1.600579] [s5c73m3_i2c_probe:3695] Exit
[ 1.604608] [s5c73m3_sensor_probe:3726] Entered
[ 1.609095] [s5c73m3_spi_init:226] Entered
[ 1.613154] [s5c73m3_spi_probe:191] Entered
[ 1.617335] [s5c73m3_spi_probe:201] s5c73m3_spi successfully probed
[ 1.623561] [s5c73m3_sensor_probe : 3749] Probe_done!!
[ 1.672638] mmc0: No card detect facilities available
[ 1.682984] aat1290a_led_probe : Probe
[ 1.693850] msm_soc_platform_init
[ 1.697298] msm_afe_afe_probe
[ 1.843064] msm_asoc_pcm_new
[ 1.849748] msm_asoc_pcm_new
[ 2.023134] set_dload_mode <1> ( c00176d4 )
[ 2.052220] cypress_touchkey 16-0020: Touchkey FW Version: 0x06
[ 2.123851] init: /init.qcom.rc: 466: invalid command '/system/bin/log'
[ 2.129620] init: /init.qcom.rc: 573: ignored duplicate definition of service 'sdcard'
[ 2.137402] init: /init.qcom.rc: 586: ignored duplicate definition of service 'ftm_ptt'
[ 2.145490] init: /init.target.rc: 73: ignored duplicate definition of service 'thermald'
[ 2.154677] init: could not open /dev/keychord
[ 2.239951] init: Device Encryption status is (0)!!
[ 2.243705] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p15 (ext4):::::
[ 2.251823] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p15
[ 2.588921] init: [disk_config] ext_check ->ok
[ 2.611597] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p17 (ext4):::::
[ 2.617762] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p17
[ 2.655333] init: [disk_config] ext_check -> ok
[ 2.664947] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p11 (ext4):::::
[ 2.671081] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p11
[ 2.704532] init: [disk_config] ext_check -> ok
[ 3.259056] init: cannot find '/system/etc/install-recovery.sh', disabling 'flash_recovery'
[ 3.270471] init: cannot find '/system/bin/dmbserver', disabling 'dmb'
[1630] AST_POWERON
[ 0.000000] heap->name mm, mb->start c0000000
[ 0.000000] Reserving memory at address ea000000 size: 100000
[ 0.000000] sec_dbg_setup: str=@0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_size = 0x40000
[ 0.000000] etb_buf_setup: str=@0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_size = 0x4000
[ 0.174484] rdev_init_debugfs: Error-Bad Function Input
[ 0.174851] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[ 0.176926] sec_debug_init: enable=0
[ 0.177445] sc_debug_iit: restat_reason 0xdf0086c
[ 0216206] [sm8960_int_cam:299]setting one!!
[ 0.217915 select_req_plan:ACPU PVS:Nominal
0.25206] i2c ic-14: Invaid 7-bit 2C addres 0x00
[ 0.25207] i2c i2-14: Can'tcreate deice at 0x0
[ 0252250] 2c i2c-19 Failed t register 2c clientcmc624 at0x38 (-16
[ 0252250] ic i2c-19: an't creae device t 0x38
[ 0.25243] rdev_iit_debugs: Error-Bd Functio Input
[ 0.25292] max895 19-0060:DVS modesdisabled ecause VI0 and VID do not hve propercontrols.
[ 0.29536] msmetm msm_em: ETM trcing is nt enable!
[ 0.35797] pm_rntime: fal to wakeupllcation tale not intialized
[ .362093] dmi_msm hmi_msm.1:external_ommon_stae_create:sysfs grop de39e60
[ 0.62734] Inide writeack_driverinit
[ 0.36285] Inside riteback_robe
[ 1.244803] TZCOM: unable to get bus clk
I have heard, but do not know, that there may be plans to get one of the developer phones into Adam's hands to extract from. That may provide insight into how to disable Qualcomm Secure Boot no? Anyone care to shed some light on if this is still planned or not? Thanks
struct sig_ctx_t {
int count;
int seed[65];
int subcheck_seed[64]; // possibly a modulus
}
int signature_check_data(sig_ctx_t *sig_ctx, char *img_sig_data, signed int signature_len, char *sha1_of_contents) {
int* img_ofs_0x100 = (int*)(img_sig_data + 0x100);
int* img_ofs_0x200 = (int*)(img_sig_data + 0x200);
int* img_ofs_0x300 = (int*)(img_sig_data + 0x300);
int* img_ofs_0x400 = (int*)(img_sig_data + 0x400); // Temporary storage
// Copy 0x0 block to 0x100
memcpy(img_ofs_0x100, &img_sig_data[0], signature_len);
// ofs_0x200 is filled with byte-swapped ints from img_ofs_0x100
for (int i = 0; i < sig_ctx->count; i++) {
img_ofs_0x200[i] = htonl(img_ofs_0x100[sig_ctx->count - 1 - i]);
}
// subcheck(sig_block *block, int *output, int *input1, int *input2)
// multiplication maybe?
signature_subcheck(sig_ctx, img_ofs_0x300, img_ofs_0x200, sig_ctx->subcheck_seed);
signature_subcheck(sig_ctx, img_ofs_0x400, img_ofs_0x300, img_ofs_0x300);
signature_subcheck(sig_ctx, img_ofs_0x300, img_ofs_0x400, img_ofs_0x200);
if ( sig_ctx->count )
{
count_minus_1 = sig_ctx->count - 1;
v18 = img_ofs_0x300[sig_ctx->count - 1];
v19 = sig_ctx->seed[sig_ctx->count]; // seed[64]
// v19 = *(&sig_ctx->count + sig_ctx->count + 1);
if ( v18 >= v19 )
{
if ( v18 == v19 )
{
for (int i = 0; i < sig_ctx->count; i++) {
int v22 = img_ofs_0x300[sig_ctx->count - 1 - i];
int v23 = sig_ctx->seed[sig_ctx->count - 1 - i];
if (v22 < v23) {
goto LABEL_18
}
}
}
if ( sig_ctx->count > 0 )
{
int carry = 0;
for (int i = 0; i < sig_ctx->count; i++) {
uint64 temp = img_ofs_0x300[i] - (uint64)sig_ctx->seed[i + 1];
img_ofs_0x300[i] = img_ofs_0x300[i] - sig_ctx->seed[i + 1] + carry;
carry = (int)(temp >> 32); // get high 32 bits
}
}
}
LABEL_18:
// Store the calculation back into img_ofs_0x100
for (int i = 0; i < sig_ctx->count; i++) {
int val = img_ofs_0x300[sig_ctx->count - 1 - i];
char* dest = &img_ofs_0x100[i];
dest[0] = (val & 0xFF000000) >> 24;
dest[1] = ((val & 0x00FF0000) >> 16) & 0xFF;
dest[2] = ((val & 0x0000FF00) >> 8) & 0xFF;
dest[3] = (val & 0xFF);
}
if (memcmp(img_ofs_0x100, sig_check_compare_result, 236)) // sig_check_compare_result is a char[236] with the first 2 bytes 0x00, 0x01, and the rest 0xFF
return 0;
if (signature_len > 236) {
if (memcmp(&img_ofs_0x100[236], sha1_of_contents, signature_len - 236)) // 256-236 = 20
return 0;
// Signature passed
return 1;
}
}
return 0;
}
void __fastcall signature_subcheck(sig_ctx_t *sig_data, int *output, int *input1, int *input2)
{
int v5; // r3@2
int count; // r4@3
unsigned __int64 v7; // r2@6
unsigned __int64 v8; // r8@6
int inner_index; // r5@7
int block1_pos; // r4@7
int v11; // r5@14
__int64 v12; // r8@14
int v13; // r6@14
unsigned __int64 v14; // r2@15
int v15; // kr04_4@15
int v16; // [sp+18h] [bp-48h]@6
unsigned int v17; // [sp+1Ch] [bp-44h]@6
int outer_index; // [sp+2Ch] [bp-34h]@5
if ( sig_data->count > 0 )
{
v5 = 0;
do
{
output[v5++] = 0; // this do while is just memset(output, 0, 4 * sig_data->count)
count = sig_data->count;
}
while ( sig_data->count > v5 );
if ( count > 0 )
{
outer_index = 0;
do
{
v16 = input1[outer_index];
v7 = (unsigned int)v16 * (unsigned __int64)(unsigned int)*input2 + (unsigned int)*output;// v7 = input1[outer_index] * (uint64)input2[0] + output[0]
v17 = sig_data->seed[0] * v7;
v8 = sig_data->seed[1] * (unsigned __int64)v17 + (unsigned int)v7;
if ( count <= 1 )
{
block1_pos = 1;
}
else
{
inner_index = 0;
block1_pos = 1;
do
{
v7 = (unsigned int)v16 * (unsigned __int64)(unsigned int)input2[block1_pos]
+ (unsigned int)output[block1_pos]
+ HIDWORD(v7);
v8 = sig_data->seed[inner_index + 2] * (unsigned __int64)v17 + HIDWORD(v8) + (unsigned int)v7;
++block1_pos;
output[inner_index] = v8;
++inner_index;
}
while ( block1_pos < sig_data->count );
}
output[block1_pos - 1] = HIDWORD(v8) + HIDWORD(v7);
if ( (HIDWORD(v8) + (unsigned __int64)HIDWORD(v7)) >> 32 )
{
if ( sig_data->count <= 0 )
return;
v11 = 0;
v12 = 0LL;
v13 = 0;
do
{
v14 = (unsigned int)output[v11] - (unsigned __int64)sig_data->seed[v11 + 1];
v15 = output[v11] - sig_data->seed[v11 + 1];
output[v11] = output[v11] - sig_data->seed[v11 + 1] + v12;
count = sig_data->count;
++v13;
++v11;
v12 = (signed int)((__PAIR__(HIDWORD(v14), v15) + v12) >> 32);
}
while ( v13 < sig_data->count );
}
else
{
count = sig_data->count;
}
++outer_index;
}
while ( outer_index < count );
}
}
}