The opening of the Wave bootloader through FOTA
- Thread starter mijoma
- Start date
-
- Tags
- boot bootloader fota
This time my tests with all files from XXJL2. 
1.
I've tried bplib_S8500OpEuro_XXJL2_mijoma_upload.zip
Result black Screen. No reaction on OFF Button. So I removed Battery... then I was able to go back to Download Mode.
No idea if same like Upload, only without Text... but no reaction on Button is different.
2.
I've filled all Data with FF before 1024 Bytes... empty FOTA.
Then I see first time:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
FOTA Engine is not installed
Plz install below FOTA Eng.
(FOTA_ENGINE_VER_INFO_2.0)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Aha. Never seen before, only read from other users...
But here again you can press OFF several Seconds, then handset restart.
And you can go back to Download Mode...
With my empty file I'll test again XEKC2, if maybe FOTA complete disabled...
Best Regards
Edit 1.
I did several tests...
apps_compressed.bin is again involved... not only Bootloader...
XXJL2 apps_compressed.bin + FOTA Mod = work
change only apps_compressed.bin from XEKC2 for instance, then complete FOTA is ignored. I've tested with my empty file...
I think, this is the reason, why I failed on JE7...
So no waste of time to do this on other Firmware. Only for XXJL2 apps_compressed.bin + BOOT from XXJL2.
1.
I've tried bplib_S8500OpEuro_XXJL2_mijoma_upload.zip
Result black Screen. No reaction on OFF Button. So I removed Battery... then I was able to go back to Download Mode.
No idea if same like Upload, only without Text... but no reaction on Button is different.
2.
I've filled all Data with FF before 1024 Bytes... empty FOTA.
Then I see first time:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
FOTA Engine is not installed
Plz install below FOTA Eng.
(FOTA_ENGINE_VER_INFO_2.0)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Aha. Never seen before, only read from other users...
But here again you can press OFF several Seconds, then handset restart.
And you can go back to Download Mode...
With my empty file I'll test again XEKC2, if maybe FOTA complete disabled...
Best Regards
Edit 1.
I did several tests...
apps_compressed.bin is again involved... not only Bootloader...
XXJL2 apps_compressed.bin + FOTA Mod = work
change only apps_compressed.bin from XEKC2 for instance, then complete FOTA is ignored. I've tested with my empty file...
I think, this is the reason, why I failed on JE7...
So no waste of time to do this on other Firmware. Only for XXJL2 apps_compressed.bin + BOOT from XXJL2.
Last edited:
Thanks adfree for that test. Yesterday evening I've noticed that I made a stupid mistake and was looking at the other bootloader (XXJEE) when creating the bplib_S8500OpEuro_XXJL2_mijoma_upload file. I edited my post - renamed the file that was there to represent its contents and added a correct bplib_S8500OpEuro_XXJL2_mijoma_upload2 for XXJL2 with indication this is version 2.
Can you check that one when you have some time?
Thanks and sorry for the mistake.
mijoma
Can you check that one when you have some time?
Thanks and sorry for the mistake.
mijoma
Thank you mijoma
This time it works.
But now exact this happens. I don't know how to connect. No COM Port...
http://xdaforums.com/showthread.php?t=928170
BT? Wifi? Or maybe serial cable?
http://xdaforums.com/showthread.php?t=919569
Upload data to PC sounds nice, but I don't know how to use.
New Ideas about FOTA.
- maybe as repair solution... some users have bootcycle and you have no more access with sTune
Maybe possible to set Wave into some Mode where access to filesystem is possible...
- other idea... maybe some tweaks in apps_compressed.bin possible...
Thank you.
Best Regards
This time it works.
But now exact this happens. I don't know how to connect. No COM Port...
http://xdaforums.com/showthread.php?t=928170
BT? Wifi? Or maybe serial cable?
http://xdaforums.com/showthread.php?t=919569
Upload data to PC sounds nice, but I don't know how to use.
New Ideas about FOTA.
- maybe as repair solution... some users have bootcycle and you have no more access with sTune
Maybe possible to set Wave into some Mode where access to filesystem is possible...
- other idea... maybe some tweaks in apps_compressed.bin possible...
Thank you.
Best Regards
I've tested both for hwrev on XXJL2:
hwrev=4258004D
hwrev=0E
Same like Raitis:
http://xdaforums.com/showpost.php?p=12673264&postcount=146
@ mijoma
Can you please add these FOTA files in this Thread?
So we have all files on one place...
I've downgrade to BOJE7 with Bootfiles. And can confirm it works with:
bplib_S8500OpEuro_XXJEE_mijoma_upload.zip
Thanx.
Best Regards
hwrev=4258004D
hwrev=0E
Same like Raitis:
http://xdaforums.com/showpost.php?p=12673264&postcount=146
@ mijoma
Can you please add these FOTA files in this Thread?
So we have all files on one place...
I've downgrade to BOJE7 with Bootfiles. And can confirm it works with:
bplib_S8500OpEuro_XXJEE_mijoma_upload.zip
Thanx.
Best Regards
OK. Uploaded.
Anybody with a desire to discover his phone hwrev can use the file attached.
It works only with XXJL2 bootloader.
Another interesting test.
This time we shall completely remove original FOTA code, but jump to normal boot after execution of our FOTA. That, however, shall have one exception - when the phone is powered on while holding the "Call key" (the one that's used for receiving calls) - in this situation, a well known white screen with information of hwrev and keys pressed during power_up.
It shall look like something like this:
Key pressed 0 0
Key pressed 1 0
Key pressed 0 0
Key pressed 0 0
Key pressed 0 0
where the values represent keys as per map below
MENU --- RFU(0)
CALL ---- CAM
VOL_D -- RFU(0)
CAM ---- VOL_U
LOCK --- RFU(0)
Summarizing, The fota file attached should allow normal boot if nothing is pressed during power up and show a screen if you hold call key.
Let me know how that works for you as this shall be important in terms of possibility of executing certain functionality (i.e. boot from SD) based on key combinations.
Remember that the file is intended for use with XXJL2 bootloader only - pressed keys information and display handling is done using original bootloader
Best Regards,
mijoma
This time we shall completely remove original FOTA code, but jump to normal boot after execution of our FOTA. That, however, shall have one exception - when the phone is powered on while holding the "Call key" (the one that's used for receiving calls) - in this situation, a well known white screen with information of hwrev and keys pressed during power_up.
It shall look like something like this:
Key pressed 0 0
Key pressed 1 0
Key pressed 0 0
Key pressed 0 0
Key pressed 0 0
where the values represent keys as per map below
MENU --- RFU(0)
CALL ---- CAM
VOL_D -- RFU(0)
CAM ---- VOL_U
LOCK --- RFU(0)
Summarizing, The fota file attached should allow normal boot if nothing is pressed during power up and show a screen if you hold call key.
Let me know how that works for you as this shall be important in terms of possibility of executing certain functionality (i.e. boot from SD) based on key combinations.
Remember that the file is intended for use with XXJL2 bootloader only - pressed keys information and display handling is done using original bootloader
Best Regards,
mijoma
Tested, no success.
Maybe Call Button is reserved for other Things...
Maybe Camera Button is free?
But maybe again my fault, wait. Hopefully someone else try and confirm.
Thanx.
Best Regards
Maybe Call Button is reserved for other Things...
Maybe Camera Button is free?
But maybe again my fault, wait. Hopefully someone else try and confirm.
Thanx.
Best Regards
Could describe what happened after you loaded the file - how did the phone behave when started without holding the call key? Did it boot the system normally or you had a black screen?
Second thing is what happened when you hold the call button (along with the power button)? Did the phone boot or not?
Best Regards,
mijoma
Second thing is what happened when you hold the call button (along with the power button)? Did the phone boot or not?
Best Regards,
mijoma
Without attached cable
I've pressed first Call then ON.
Hold both Buttons...
Then it looks like Bootcycle... only Wave Logo...
I think I turn it off again with holding...
Other test:
First ON
Hold
Then several clicks on Call...
Same, Wave Logo... then reboot. Again, I think I end with holding ON/OFF Button.
Third test.
Short ON, then I release Button.
Hold Call...
Wave normal starts...
Best Regards
I've pressed first Call then ON.
Hold both Buttons...
Then it looks like Bootcycle... only Wave Logo...
I think I turn it off again with holding...
Other test:
First ON
Hold
Then several clicks on Call...
Same, Wave Logo... then reboot. Again, I think I end with holding ON/OFF Button.
Third test.
Short ON, then I release Button.
Hold Call...
Wave normal starts...
Best Regards
That's strange. I tried with my friends phone and worked perfectly as I assumed (meaning we can possibly differentiate behavior basing on the key combination). Are you sure you have XXJL2? I'll have to investigate the issue further.
Best Regards,
mijoma
Tried that FOTA with the key pressed, worked fine on me and Wave keeps booting (S8500XIKA1 firmware, it has the same bootfiles)
Do you mean you saw the screen with the hwrev and pressed keys information when starting with holding CALL key, and normal boot when you started without holding anything?
i've got success using your last FOTA file mijoma, i'm using an XXJL2 firmware but had to update the bootloader with the XXJL2 booloader that you linked us to, holding call and power buttons gets the white screen with hwrev and the button pressed text, power button alone boots as normal.
hwrev = 0E
hwrev = 0E
Last edited:
Sorry, my fault again. I jump often between different Firmwares...
So I have forgotten to update back to XXJL2 Boot.
It's no sabotage. Only dumb mistake from me.
mijoma_dummyFota_XXJL2_rev_key.zip works.
Thank you very much.
Really good work.
Maybe next step to start something from SD?
Text file? To show other message?
Best Regards
During Logging "Boot" I saw something like that:
/User/Mass/SyncML/Fota
At this time I can't find this folder...
Will try to digging deeper...
Hmm. Correction. I found empty file FotaStatus.txt in such folder.
But maybe hidden folder...
Best Regards
Edit 1.:
I mean maybe for first test(s) internal Memory is "easier" to handle instead access to SD card.
/User/Mass/SyncML/Fota
At this time I can't find this folder...
Will try to digging deeper...
Hmm. Correction. I found empty file FotaStatus.txt in such folder.
But maybe hidden folder...
Best Regards
Edit 1.:
I mean maybe for first test(s) internal Memory is "easier" to handle instead access to SD card.
Last edited:
/User/Mass/SyncML/Fota/.bplib_apply.backup
/User/Mass/SyncML/Fota/2400258.cfg
/User/Mass/SyncML/Fota/Fota_Update_Needed.txt
/User/Mass/SyncML/Fota
/Media/Others/delta.bin
/Debug/Fota_Language.txt
/Debug/PfsFlag.txt
/User/tfs4SharedQuotaGarbageFile
Several other folders in FOTA file... so i think FOTA has access to these folders/files.
Maybe for test it is "easier" to use internal Memory to inject "Android Starting Code".
Maybe SD Card access is locked by some "funny" Security thingies...
Best Regards
/User/Mass/SyncML/Fota/2400258.cfg
/User/Mass/SyncML/Fota/Fota_Update_Needed.txt
/User/Mass/SyncML/Fota
/Media/Others/delta.bin
/Debug/Fota_Language.txt
/Debug/PfsFlag.txt
/User/tfs4SharedQuotaGarbageFile
Several other folders in FOTA file... so i think FOTA has access to these folders/files.
Maybe for test it is "easier" to use internal Memory to inject "Android Starting Code".
Maybe SD Card access is locked by some "funny" Security thingies...
Best Regards
No, it's not this. The FOTA bootloader code (not called from user mode after system boot) is basically the very same, including all permissions as the rest of the bootloader. Calling FOTA code is done though just jumping there. No additional security layer or anything. If you look at original FOTA code you'll find that it implements all the same as the bootloader (i.e. it does the authentication of components that were downloaded over-the-air), so you can do exactly same stuff.
The problem with mounting SD is rather of different nature. It's a bit easier to analyse what's the execution flow than actually use existing bootloader code in the right way. It's not rocket science, but requires time that I don't really have plenty of.
Not for you, but for me.
I can only press 1 Button... but then higher chance rocket will explode.
My brain is only able to read Text Strings like folder names or something similar...
Best Regards
Ahoy!
I must say that i'm total beginner in RevEngineering mobile systems. I'm more experienced in x86 and higher level than kernel things.
But, bought Wave II a week ago, I know its hardware is almost the same like Galaxy S. So I thought "would be fun if boot Android on Wave", here I come.
As the most advanced thing i achieved with ARM machine was updating my HTC Touch system, got some questions to you to start messing around with Wave.
As far I understand the biggest problem here is walking around the boot loader Samsung protection.
So, what tools do I need if I want to inject my own bin code into FOTA mechanism? Do I need to do it by modded firmware update, modifying update file from samsung? How to get this "basefile" if my Wave II soft seems to be the updated?
What is JTAG? Is it some kind of external machine using internal phone pins to directly interact with chipset or what?
What is Download Mode? Is it firmware update mode? Is it possible to update everything throught it (including bootloader) or just "normal" OS files?
What kinds of memory have we got in and what its used for? We got RAM, CPU registers, flash NAND memory (do handset store all data, including bootsectors here or somewhere else) , eventually SD card, and... is there something more or did i confused something?
Or, in other words, I love experimenting, so please just tell me what better NOT to do and what safe-fail routines the phone does if bootloader update fails, I'm conscious that it's easy to break up the handset while updating bootloader and it's possible to recover it only by external interference into flash mem, is it possible to break it by updating other (OS/kernel) files? Or in the worst way update mode is always handled by bootloader (is it?) and I need reflashing to bring back the functionality?
Searched around abit, so if I get it right firmware updater checksum almost every file insite update pack except the eventual FOTA ones, which allows to redirect control flow from bootloader to our own code.
Do you think there is a big chance to make my Wave II useful only as paperweight if I start to mess with its internals while being careful? (I know, it's kinda mutually exclusive)
Sorry for so much questions. Thanks in advance if anyone bother answering that, probably almost noone would care to read book I had written. Won't cut myself if you blame me for trying something i totally don't get. But imo everyone starts like that or worse. I'm happy to see lot of advanced guys who can help me, of course if you want to.
Regards
I must say that i'm total beginner in RevEngineering mobile systems. I'm more experienced in x86 and higher level than kernel things.
But, bought Wave II a week ago, I know its hardware is almost the same like Galaxy S. So I thought "would be fun if boot Android on Wave", here I come.
As the most advanced thing i achieved with ARM machine was updating my HTC Touch system, got some questions to you to start messing around with Wave.
As far I understand the biggest problem here is walking around the boot loader Samsung protection.
So, what tools do I need if I want to inject my own bin code into FOTA mechanism? Do I need to do it by modded firmware update, modifying update file from samsung? How to get this "basefile" if my Wave II soft seems to be the updated?
What is JTAG? Is it some kind of external machine using internal phone pins to directly interact with chipset or what?
What is Download Mode? Is it firmware update mode? Is it possible to update everything throught it (including bootloader) or just "normal" OS files?
What kinds of memory have we got in and what its used for? We got RAM, CPU registers, flash NAND memory (do handset store all data, including bootsectors here or somewhere else) , eventually SD card, and... is there something more or did i confused something?
Or, in other words, I love experimenting, so please just tell me what better NOT to do and what safe-fail routines the phone does if bootloader update fails, I'm conscious that it's easy to break up the handset while updating bootloader and it's possible to recover it only by external interference into flash mem, is it possible to break it by updating other (OS/kernel) files? Or in the worst way update mode is always handled by bootloader (is it?) and I need reflashing to bring back the functionality?
Searched around abit, so if I get it right firmware updater checksum almost every file insite update pack except the eventual FOTA ones, which allows to redirect control flow from bootloader to our own code.
Do you think there is a big chance to make my Wave II useful only as paperweight if I start to mess with its internals while being careful? (I know, it's kinda mutually exclusive)
Sorry for so much questions. Thanks in advance if anyone bother answering that, probably almost noone would care to read book I had written. Won't cut myself if you blame me for trying something i totally don't get. But imo everyone starts like that or worse. I'm happy to see lot of advanced guys who can help me, of course if you want to.
Regards
Last edited:
Similar threads
- Locked
Top Liked Posts
-
There are no posts matching your filters.
-
22Hi everyone,
Many people have complained about the Wave bootloader being closed and that being major problem for the development of alternative OS.
I had a closer look at the booting process and would like to contribute my observations to the community. I shall have little time (next to none) to work on it further, so I'd like someone to take it from this point.
OK, that said I can introduce you to what I found:
The booting process starts with initialization of the hardware, interrupts, etc. and gets to the selection of the booting mode. This is the place that checks the key combination, JIG and possible problems. Basing on this the bootloader will run the phone in either normal boot mode, go to dowload or upload mode.
Normal boot shall start with checking the FOTA module. If you already tried flashing your phone you probably noticed that some versions of the FW include a file with *.fota extension. The file is unencrypted and not signed. It's about 2MB, but the bootloader reserves exactly 3MB for it. FOTA is intended to be used for firmware update over the air, but I know nothing about it being used for Wave. You may read something about the design and get a concept of that process here:
http://www.freepatentsonline.com/pdfb/documents/usapp/patent_pdf/2010/017/US20100175062/pdf/US20100175062.pdf
Basically, it is possible that boot would need to perform some actions that are a result of FOTA. Therefore, during the normal boot it reads the FOTA module from the NAND (0xC600000) and checks whether the module exists and is in the right version. That is done by checking a magic (text "FOTA_ENGINE_VER_INFO_2.0") under the 0xC600100. If it is found missing or incorrect you will end up with the message "FOTA Engine is not intalled" or "FOTA Engine version mismatch" on the screen and you will need to restart your phone in the download mode to load it.
After that, the code checks for additional magic values at 0xC880000. In case it is "BPDZ" it jumps to the code in the FOTA file. The contents of the file is loaded to RAM location 0x43800000 and executed from there.
I've made an experiment as a proof-of-concept and have a confirmed that the above is true and valid information. I crafted a FOTA file longer that the usual attached (to be bigger than 2,5 MB). In case you want to repeat that, remember that last 1024 bytes are not loaded and insert additional data before that. My file had two magic values:
"FOTA_ENGINE_VER_INFO_2.0" at 0x100 offset and "BPDZ" at 0x280000. At offset 0 I've placed my code that started with several NOPs (just in case) and code that called original bootloader functions to display text on the screen.
After loading the file with Multiloader, the message appeared on the screen as expected. Reloading of the original FOTA file made the phone boot normally.
The discovery opens wide area of possibilities starting with replacing bootloader without signing it or using JTAG, multiboot, etc.
As the original bootloader is in the memory as well, we can use it, but I would not recommend that approach as we would need additional version control and changing original routines and data addresses for each version.
OK. I hope I made it clear enough to understand, but I can clarify what I might have omitted in the description. The idea is that someone here would pick that up from where I finished and develop a decent loader leaving the original files (apart from FOTA) untouched.
Best Regards,
mijoma
-----------------------------------
Edit: Added proof-of-concept FOTA file (based on XXJL2 FOTA). Use wisely - remember you take full responsibility for what you load on your phone. Works ONLY with XXJL2 bootloader.9
Quite honestly, I haven't got enough time for this. I've done attempts to mount the SD through FOTA, but with little success. It's not that hard, but seems I'm missing some detail.
As for the Android porting project I extracted some LCD handling code and made some modifications to SGS bootloader to match the GPIO in Wave, but that's all.
In the first post of the thread I've already stated I hope somebody can take if from here. The method is served on a plate - has almost no limitations - full memory and devices access, original BL loaded in DRAM (may think about patching). All you need is to write some pieces of the code and test that. What I don't get is how Samsung Jet community gathered bright enough guys to do all that stuff and Wave owners wait for somebody else do that job for them offering donations for everybody asking, even without the skills. You won't ever finish your porting projects if you're planning to base them on 2-3 guys. Better find yourselves some reverse engineers and developers.
I've helped as I could and I'm already reaching my time limit for next several months.9Then, obviously i did something wrong, done manual single-byte conversion, works well too.
Mwahahah!
Sorry if my code looks like cow's ****, it's my first own asm code.
Remember to include proper addresses and modify multiloader header if you want to test it on S8500.
//edit:
Okay, any1 wanted to do real file explorer and manager for Wave? Touchscreen handling and some ops left todo.
//edit2:
SD Card doesn't seem to be mounted by default, so a year of struggles ahead!9After a week of research I found it!
We haven't loaded PBL as we thought it is unnecessary. But it has got very important role. It does complete reinitialization of DDR controller MPC0, mapping chip0 to 0x30 address space (by default it is under 0x20) and chip1 under 0x40 (it does some kind of switching, because before that chip1 is being controlled by MPC1 as chip0)
For now I've copied parts of PBL code to FOTA, now waiting for Serg to do some tests. Of course I'd be very surprised if that would be enough to boot kernel, but we're closer for sure!
New posts
-
Features disabled on fastboot and bootloader. How do I enable them?- Latest: mayberandomparable
-
-
