Remove All Ads from XDA
Honor View 10

The opening of the Wave bootloader through FOTA

249 posts
Thanks Meter: 393
By mijoma, Retired Recognized Developer on 3rd April 2011, 03:10 PM
Post Reply Email Thread
Hi everyone,

Many people have complained about the Wave bootloader being closed and that being major problem for the development of alternative OS.

I had a closer look at the booting process and would like to contribute my observations to the community. I shall have little time (next to none) to work on it further, so I'd like someone to take it from this point.

OK, that said I can introduce you to what I found:
The booting process starts with initialization of the hardware, interrupts, etc. and gets to the selection of the booting mode. This is the place that checks the key combination, JIG and possible problems. Basing on this the bootloader will run the phone in either normal boot mode, go to dowload or upload mode.

Normal boot shall start with checking the FOTA module. If you already tried flashing your phone you probably noticed that some versions of the FW include a file with *.fota extension. The file is unencrypted and not signed. It's about 2MB, but the bootloader reserves exactly 3MB for it. FOTA is intended to be used for firmware update over the air, but I know nothing about it being used for Wave. You may read something about the design and get a concept of that process here:
Basically, it is possible that boot would need to perform some actions that are a result of FOTA. Therefore, during the normal boot it reads the FOTA module from the NAND (0xC600000) and checks whether the module exists and is in the right version. That is done by checking a magic (text "FOTA_ENGINE_VER_INFO_2.0") under the 0xC600100. If it is found missing or incorrect you will end up with the message "FOTA Engine is not intalled" or "FOTA Engine version mismatch" on the screen and you will need to restart your phone in the download mode to load it.
After that, the code checks for additional magic values at 0xC880000. In case it is "BPDZ" it jumps to the code in the FOTA file. The contents of the file is loaded to RAM location 0x43800000 and executed from there.

I've made an experiment as a proof-of-concept and have a confirmed that the above is true and valid information. I crafted a FOTA file longer that the usual attached (to be bigger than 2,5 MB). In case you want to repeat that, remember that last 1024 bytes are not loaded and insert additional data before that. My file had two magic values:
"FOTA_ENGINE_VER_INFO_2.0" at 0x100 offset and "BPDZ" at 0x280000. At offset 0 I've placed my code that started with several NOPs (just in case) and code that called original bootloader functions to display text on the screen.
After loading the file with Multiloader, the message appeared on the screen as expected. Reloading of the original FOTA file made the phone boot normally.

The discovery opens wide area of possibilities starting with replacing bootloader without signing it or using JTAG, multiboot, etc.
As the original bootloader is in the memory as well, we can use it, but I would not recommend that approach as we would need additional version control and changing original routines and data addresses for each version.

OK. I hope I made it clear enough to understand, but I can clarify what I might have omitted in the description. The idea is that someone here would pick that up from where I finished and develop a decent loader leaving the original files (apart from FOTA) untouched.

Best Regards,

Edit: Added proof-of-concept FOTA file (based on XXJL2 FOTA). Use wisely - remember you take full responsibility for what you load on your phone. Works ONLY with XXJL2 bootloader.
Attached Files
File Type: zip - [Click for QR Code] (528.5 KB, 2615 views)
The Following 22 Users Say Thank You to mijoma For This Useful Post: [ View ] Gift mijoma Ad-Free
3rd April 2011, 03:26 PM |#2  
guari's Avatar
Senior Member
Thanks Meter: 65
Very interesting ... great job
3rd April 2011, 05:47 PM |#3  
Senior Member
Thanks Meter: 3,707
My little knowledge/experiments...

Before I NEVER updated manually FOTA. I never seen any Errors like other user... with FOTA not installed or something similar.
Maybe reason is, because my testdevice has NO active SIM card, so no network...

I've tested examples from mijoma. On XXJL2 Boot...
Simple only flash FOTA with Multiloader.
At your own risk. Not all sideeffects known.
I had NO problems.

Results... I can't see any special after Flashing. But I can go through internal menu, see Pictures.
Normally I have more messages... but with modified FOTA Wave restarts. So the way is correct.

Delta files are sometimes in Firmware also with Boot... I will add next Link to what I found about Delta files...
Delta Files are part of FOTA concept...

Depend on Firmware... Software update... but sometimes is this point removed and I can't login, because no network...

In other words, I have to start FOTA over this internal menu to see that it is doing something.

Best Regards
Attached Thumbnails
Click image for larger version

Name:	FOTA1.jpg
Views:	2229
Size:	91.8 KB
ID:	559459   Click image for larger version

Name:	FOTA2.jpg
Views:	1472
Size:	46.9 KB
ID:	559460   Click image for larger version

Name:	FOTA3.jpg
Views:	1485
Size:	64.1 KB
ID:	559461   Click image for larger version

Name:	FOTA4.jpg
Views:	1624
Size:	38.6 KB
ID:	559462  
The Following 2 Users Say Thank You to adfree For This Useful Post: [ View ] Gift adfree Ad-Free
3rd April 2011, 06:02 PM |#4  
OP Retired Recognized Developer
Flag Warsaw
Thanks Meter: 393
I think you are testing the previous version. Could you confirm you are using mod version 2?

Best Regards,
The Following User Says Thank You to mijoma For This Useful Post: [ View ] Gift mijoma Ad-Free
3rd April 2011, 06:25 PM |#5  
Senior Member
Thanks Meter: 3,707

You are right, not tested yet. Only prior Version.
I will test today mod2 and report later.

I have to flash back to XXJL2... as I play actual on Orange JE7.

Thank you.

Best Regards
3rd April 2011, 09:26 PM |#6  
Junior Member
Thanks Meter: 20
YT: watch?v=A35k3E1F1O4

It's working....

Best regards.
The Following 2 Users Say Thank You to jedil1 For This Useful Post: [ View ] Gift jedil1 Ad-Free
3rd April 2011, 09:58 PM |#7  
Senior Member
Thanks Meter: 19
Amazing job dude. It seems like this could help us to change booting stuff
4th April 2011, 12:25 AM |#8  
Senior Member
Thanks Meter: 171
Nice work mijoma !!!
4th April 2011, 04:01 AM |#9  
Senior Member
Thanks Meter: 3,707
Thumbs up

I can confirm it works.

Now I see the same like on this Video:

Thanx jedil1 for Link.

Sorry mijoma.

I have no idea where I made mistake...

This time my first Test was Full Flash (without Boot)...
Second only FOTA and it works too... Original, then yours...

If you flash "Full", then you interrupt the Index process at Start, where Blue Screen shows...

Best Regards
4th April 2011, 05:50 AM |#10  
Retired Recognized Developer
Flag Moscow
Thanks Meter: 624
Donate to Me
Great job!!!
And my opinion,this is a single way to starting full working android on s8500,
because we need to initialize the modem at bootloader stage for fuel gauge.
i temporary use modem from m130k without fuel gauge.
4th April 2011, 07:23 AM |#11  
Senior Member
Thanks Meter: 3,707
Few Firmware packages have Delta files:
Around 16 MB...

If I use Google for "Delta Files FOTA"... then I can also find this:

What we also can do with this Security hole:
- maybe "move" folder System to SD or internal Memory, to have no more problems with RC1
- maybe someone is smart enough, to integrate Dump Function for Dump whole RAM or moviNAND... like JTAG

See Upload function...

Best Regards
The Following User Says Thank You to adfree For This Useful Post: [ View ] Gift adfree Ad-Free
Post Reply Subscribe to Thread

boot, bootloader, fota

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes