Achievements Thread (Interop Unlock, Full Unlock, Custom ROMs) BootLoader Background

Status
Not open for further replies.
Search This thread

ceesheim

Retired Forum Moderator
Jun 11, 2009
3,457
2,287
No Android Fanboys Please !!!
Because its still a mess here at the wp8 Hack&Dev Forums I will dedicate this thread for Clearing what is already capable with our wp8 phones and what is still a "in Progress"


  1. Dev unlock:
  2. Interop unlock:
  3. Modded boot loader:
  4. UEFI Hacking:
  5. Custom Rom:
  6. Flashing:
  7. Full Unlock:

  1. You can make an dev account at MS.
    http://forum.xda-developers.com/showthread.php?t=2395398
  2. [XAP][GUIDE] Interop Unlock for WP8 + all Capabilities
    It's currently limited to SAMSUNG phones
    http://forum.xda-developers.com/showthread.php?t=2435697.
    At this point, you will be able to sideload any capability, even the ones used for built-in apps and services
    However, there appear to still be restrictions, even with a capability such as ID_CAP_BUILTIN_TCB. Heathcliff74 and GoodDayToDie are working to overcome these restrictions
    This list is *just* the ones from Interop-unlock; it does not unclude the ones from EnableAllSideloading

    •ID_CAP_CALLMESSAGING_FILTER
    •ID_CAP_CAMERA
    •ID_CAP_CELL_API_COMMON
    •ID_CAP_CELL_API_LOCATION
    •ID_CAP_CELL_API_OEM_PASSTHROUGH
    •ID_CAP_CELL_API_UICC
    •ID_CAP_CELL_API_UICC_LOWLEVEL
    •ID_CAP_CELL_WNF
    •ID_CAP_CSP_FOUNDATION
    •ID_CAP_CSP_MAIL
    •ID_CAP_CSP_OEM
    •ID_CAP_CSP_W4_APPLICATION
    •ID_CAP_CSP_WIFI_HOTSPOT
    •ID_CAP_DEVICE_MANAGEMENT
    •ID_CAP_DEVICE_MANAGEMENT_ADMIN
    •ID_CAP_DEVICE_MANAGEMENT_BOOTSTRAP
    •ID_CAP_DEVICE_MANAGEMENT_SECURITY_POLICIES
    •ID_CAP_DU_MIGRATOR_STATUS_OEM
    •ID_CAP_OEM_DEPLOYMENT
    •ID_CAP_INTERNET_EXPLORER_FAVORITES
    •ID_CAP_INTERNET_EXPLORER_SEARCH_PROVIDER_KEYS_HKCU
    •ID_CAP_INTEROPSERVICES
    •ID_CAP_KIDZONE_CUSTOMIZATION
    •ID_CAP_MAP_WRITE
    •ID_CAP_MEDIALIB_PHOTO_FULL
    •ID_CAP_NETWORKING_ADMIN
    •ID_CAP_OEM_ADC
    •ID_CAP_OEMPUBLICDIRECTORY
    •ID_CAP_PEOPLE_EXTENSION
    •ID_CAP_PEOPLE_EXTENSION_IM
    •ID_CAP_PEOPLE_EXTENSION_MOBILE
    •ID_CAP_PERSONAL_INFORMATION_IMPORT
    •ID_CAP_RUNTIME_CONFIG
    •ID_CAP_SMS_INTERCEPT_AGENT
    •ID_CAP_SMS_INTERCEPT_RECIPIENT
    •ID_CAP_SYNC_EXTENSION
    •ID_CAP_VOICEMAIL
    •ID_CAP_WALLET_SECUREELEMENT
    •ID_CAP_WIFI_BASIC

  3. Modded Boot loader (I mean Retail) isn't there yet for real wp8 phones.
    A NON public bootloader/magldr/UEFI is made by Cotulla for the HD2.
  4. UEFI Hacking/Extracting is a work in progress ( http://forum.xda-developers.com/htc-8x/development/htc-8x-wp8-gdr2-uefi-extracted-cab-t2843827 )
  5. Custom rom is there for only 1 phone and that is the Huawei W1
    this is in REALLY beta state and not public
    http://forum.xda-developers.com/showthread.php?t=2321642
  6. Flashing isn't a work in progress because there isn't a real need for it as of now
  7. Full Unlock is in early progress but non public
 
Last edited:

ceesheim

Retired Forum Moderator
Jun 11, 2009
3,457
2,287
No Android Fanboys Please !!!
Tools&App's

  1. (FFU) ImgMount Tool v.1.0.15
    http://forum.xda-developers.com/showthread.php?t=2066903
  2. [XAP] SamWP8 Tools. System tools for Samsung. Based on Diagnosis.
    http://forum.xda-developers.com/showthread.php?t=2435673
  3. [XAP] Interop Unlock Helper app for Samsung WP8 phones
    http://forum.xda-developers.com/showthread.php?t=2434884
  4. [PROXY] Everything at once
    http://forum.xda-developers.com/showthread.php?t=2400715
  5. [TOOLS] Samsung WP8 ROM extracting/packing Tools
    http://forum.xda-developers.com/showthread.php?t=2429741
  6. [XAP][SOURCE] Native Toast Notification Launcher
    http://forum.xda-developers.com/showthread.php?t=2398275
  7. [XAP][Source] Webserver v0.4.6 (bugfixes, MultiStrings, permissions, NativeAccess)
    http://forum.xda-developers.com/showthread.php?t=2355034
  8. [XAP][SOURCE] WP8 Registry Tools
    http://forum.xda-developers.com/showthread.php?t=2395480
  9. [EXE] [1.7.5] Store OEM Changer
    http://forum.xda-developers.com/showthread.php?t=2412713
  10. Nokia Developer - Remote Device Access (Diag Tools for Lumias)
    http://forum.xda-developers.com/showthread.php?t=2450684
  11. [XAP][01.10.2013] Update: PDF to Office V1.2 for interop-unlocked Samsung devices
    http://forum.xda-developers.com/showthread.php?t=2462257
  12. [XAP][TOOL] EXPERIMENTAL: WPH Tweaks
    http://forum.xda-developers.com/showthread.php?t=2486387
 
Last edited:

ceesheim

Retired Forum Moderator
Jun 11, 2009
3,457
2,287
No Android Fanboys Please !!!
WP8 BootLoader Background.

WP8* phones MUST be Q-fuse protected by MS (retail), this means that potential holes must go through a road that isn't there anymore.

then IF you found a way to get in the phone the chain of trust starts.

PBL:

Code:
PBL

• RPM processor starts executing PBL in boot ROM
• PBL determines cold boot or warm boot
• PBL increases RPM clock speed from XO to 60 MHz
• RPM processor start address is 0x0
• For cold boot, next step is to detect Flash device that chip will boot from, 
  based on the boot options
• When detected, PBL downloads SBL1 (RPMSBL) from Flash to System IMEM
• SBL1 authenticates SBL2 (Krait PBL)
• RPM uses Crypto Engine 4.0 to authenticate images
• SBL1 jumps to start of SBL2 (Krait PBL)

SBL1

• SBL1 configures MIMEM and GMEM, then loads and authenticates the SBL2 there;
  MIMEM is 192 KB, so when SBL2 grows, it will spill to GMEM
• SBL1 takes Krait out of reset
• SBL1 waits for signal from Krait SBL
• When desired signal is received, SBL1 executes RPM firmware, 
  which is downloaded by SBL2
• If RPM firmware image authentication/download fails, Krait SBL2 resets MSM and 
  enters into Boot ROM Emergency Download mode

SBL2

• After being taken out of reset, Krait jumps to start of SBL2
 - Krait boot address is software-configurable via register APCS_START_ADDR
• SBL2 increases Krait clock speed
• SBL2 downloads TZ image to TZ-dedicated system IMEM
  - TZ image occupies at least 188 KB in system IMEM
  - TZ image sets up security environment (configures xPU, etc.)
• SBL2 authenticates TZ image
  - SBL2 uses CE-4.0 to perform authentication
• SBL2 downloads RPM firmware to Code RAM and authenticates it
• SBL2 configures DDR
• SBL2 sends RPM firmware-ready signal to RPM and lets RPM continue to 
  execute RPM firmware
• SBL2 jumps to SBL3

SBL3

• SBL3 bumps the system clock
• SBL3 loads and authenticates APPSBL
• SBL3 waits for the RPM process ready interrupt
• Once the interrupt is coming, SBL3 jumps to APPSBL

the primary processor boots first, executing the Primary Boot Loader (PBL) from on-board ROM.

The MSM platform has the facility to force Secure Boot using the status of the FORCE_TRUSTED_BOOT Qfuse on-chip or a high-state BOOT_SCUR pin connected to GPIO95. In this mode the PBL verifies the signature of the SBL/OSBL before executing it,which verifies the REX/AMMS signature in the same way.

(AMSS is the Qualcomm radio software (radio/baseband).

(AMSS is the Advanced Mobile Subscriber Software that runs on the ARM9 CPU in our phones, it is a complete embedded OS using the L4 microkernel and controls the RF interface, power management and some other things)

PBL reads the Device Boot Loader (DBL) from the first partition of the flash memory device.

DBL is part of Qualcomm's SecureBoot, which uses cryptography to guarantee that the boot-loader images haven't been tampered with. DBL configures the Cryptographic Look-aside Processor (CLP), a dedicated cryptographic co-processor, and other hardware sufficient to load and execute the Secondary Boot Loader (SBL)

The SBL, also known as the Operating System Boot Loader (OSBL), is loaded.
It provides an Extensible Firmware Interface (EFI) -like environment for controlling the boot process.
After doing more hardware configuration including UARTs and USB (for potential remote console connections to the monitor) it loads the Applications processor Secondary Boot Loader (APPSBL) on the ARM11 applications processor

It then loads and executes the combined REX/AMSS
Finally on the ARM9 REX executes the Advanced Mobile Subscriber Software (AMSS).

After the SoC Vendor part is done the second part starts:

faais6.jpg


Now the OS gets loaded, and the real fun starts
Nothing is unbreakable, but MS has 20 years NT kernel dev time in it (wp8* uses the same kernel as win) and made it damn bulletproof.

the thing is that we are not even in the phone jet , No bootloader hack.
JTAG is nice but only a few will ever do that , and nobody will hack the whole OS just for JTAG that actually no one will use.

Some background information and data sheets:



On the HTC 8x xboxmod found a hole, by flashing a "bad" uefi.
the phone boots into Emergency Download mode ( because its a soft brick)
This (only found on htc because it lets you flash unsigned files) "COULD" be a potential thing to explore !!!
But as you can see this is pretty dangerous to do because you actually NEED to brick your phone to get there.
next to know is that xboxmod needed to sent his phone to the repair center to repair it again !!!

Code:
• If RPM firmware image authentication/download fails, Krait SBL2 resets MSM and 
  enters into Boot ROM Emergency Download mode
so the conclusion of this is :
WE HAVE A LONG LONG WAY TO GO :D
 

Attachments

  • boot.jpg
    boot.jpg
    73.8 KB · Views: 5,594
Last edited:
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 29
    Because its still a mess here at the wp8 Hack&Dev Forums I will dedicate this thread for Clearing what is already capable with our wp8 phones and what is still a "in Progress"


    1. Dev unlock:
    2. Interop unlock:
    3. Modded boot loader:
    4. UEFI Hacking:
    5. Custom Rom:
    6. Flashing:
    7. Full Unlock:

    1. You can make an dev account at MS.
      http://forum.xda-developers.com/showthread.php?t=2395398
    2. [XAP][GUIDE] Interop Unlock for WP8 + all Capabilities
      It's currently limited to SAMSUNG phones
      http://forum.xda-developers.com/showthread.php?t=2435697.
      At this point, you will be able to sideload any capability, even the ones used for built-in apps and services
      However, there appear to still be restrictions, even with a capability such as ID_CAP_BUILTIN_TCB. Heathcliff74 and GoodDayToDie are working to overcome these restrictions
      This list is *just* the ones from Interop-unlock; it does not unclude the ones from EnableAllSideloading

      •ID_CAP_CALLMESSAGING_FILTER
      •ID_CAP_CAMERA
      •ID_CAP_CELL_API_COMMON
      •ID_CAP_CELL_API_LOCATION
      •ID_CAP_CELL_API_OEM_PASSTHROUGH
      •ID_CAP_CELL_API_UICC
      •ID_CAP_CELL_API_UICC_LOWLEVEL
      •ID_CAP_CELL_WNF
      •ID_CAP_CSP_FOUNDATION
      •ID_CAP_CSP_MAIL
      •ID_CAP_CSP_OEM
      •ID_CAP_CSP_W4_APPLICATION
      •ID_CAP_CSP_WIFI_HOTSPOT
      •ID_CAP_DEVICE_MANAGEMENT
      •ID_CAP_DEVICE_MANAGEMENT_ADMIN
      •ID_CAP_DEVICE_MANAGEMENT_BOOTSTRAP
      •ID_CAP_DEVICE_MANAGEMENT_SECURITY_POLICIES
      •ID_CAP_DU_MIGRATOR_STATUS_OEM
      •ID_CAP_OEM_DEPLOYMENT
      •ID_CAP_INTERNET_EXPLORER_FAVORITES
      •ID_CAP_INTERNET_EXPLORER_SEARCH_PROVIDER_KEYS_HKCU
      •ID_CAP_INTEROPSERVICES
      •ID_CAP_KIDZONE_CUSTOMIZATION
      •ID_CAP_MAP_WRITE
      •ID_CAP_MEDIALIB_PHOTO_FULL
      •ID_CAP_NETWORKING_ADMIN
      •ID_CAP_OEM_ADC
      •ID_CAP_OEMPUBLICDIRECTORY
      •ID_CAP_PEOPLE_EXTENSION
      •ID_CAP_PEOPLE_EXTENSION_IM
      •ID_CAP_PEOPLE_EXTENSION_MOBILE
      •ID_CAP_PERSONAL_INFORMATION_IMPORT
      •ID_CAP_RUNTIME_CONFIG
      •ID_CAP_SMS_INTERCEPT_AGENT
      •ID_CAP_SMS_INTERCEPT_RECIPIENT
      •ID_CAP_SYNC_EXTENSION
      •ID_CAP_VOICEMAIL
      •ID_CAP_WALLET_SECUREELEMENT
      •ID_CAP_WIFI_BASIC

    3. Modded Boot loader (I mean Retail) isn't there yet for real wp8 phones.
      A NON public bootloader/magldr/UEFI is made by Cotulla for the HD2.
    4. UEFI Hacking/Extracting is a work in progress ( http://forum.xda-developers.com/htc-8x/development/htc-8x-wp8-gdr2-uefi-extracted-cab-t2843827 )
    5. Custom rom is there for only 1 phone and that is the Huawei W1
      this is in REALLY beta state and not public
      http://forum.xda-developers.com/showthread.php?t=2321642
    6. Flashing isn't a work in progress because there isn't a real need for it as of now
    7. Full Unlock is in early progress but non public
    21
    WP8 BootLoader Background.

    WP8* phones MUST be Q-fuse protected by MS (retail), this means that potential holes must go through a road that isn't there anymore.

    then IF you found a way to get in the phone the chain of trust starts.

    PBL:

    Code:
    PBL
    
    • RPM processor starts executing PBL in boot ROM
    • PBL determines cold boot or warm boot
    • PBL increases RPM clock speed from XO to 60 MHz
    • RPM processor start address is 0x0
    • For cold boot, next step is to detect Flash device that chip will boot from, 
      based on the boot options
    • When detected, PBL downloads SBL1 (RPMSBL) from Flash to System IMEM
    • SBL1 authenticates SBL2 (Krait PBL)
    • RPM uses Crypto Engine 4.0 to authenticate images
    • SBL1 jumps to start of SBL2 (Krait PBL)
    
    SBL1
    
    • SBL1 configures MIMEM and GMEM, then loads and authenticates the SBL2 there;
      MIMEM is 192 KB, so when SBL2 grows, it will spill to GMEM
    • SBL1 takes Krait out of reset
    • SBL1 waits for signal from Krait SBL
    • When desired signal is received, SBL1 executes RPM firmware, 
      which is downloaded by SBL2
    • If RPM firmware image authentication/download fails, Krait SBL2 resets MSM and 
      enters into Boot ROM Emergency Download mode
    
    SBL2
    
    • After being taken out of reset, Krait jumps to start of SBL2
     - Krait boot address is software-configurable via register APCS_START_ADDR
    • SBL2 increases Krait clock speed
    • SBL2 downloads TZ image to TZ-dedicated system IMEM
      - TZ image occupies at least 188 KB in system IMEM
      - TZ image sets up security environment (configures xPU, etc.)
    • SBL2 authenticates TZ image
      - SBL2 uses CE-4.0 to perform authentication
    • SBL2 downloads RPM firmware to Code RAM and authenticates it
    • SBL2 configures DDR
    • SBL2 sends RPM firmware-ready signal to RPM and lets RPM continue to 
      execute RPM firmware
    • SBL2 jumps to SBL3
    
    SBL3
    
    • SBL3 bumps the system clock
    • SBL3 loads and authenticates APPSBL
    • SBL3 waits for the RPM process ready interrupt
    • Once the interrupt is coming, SBL3 jumps to APPSBL

    the primary processor boots first, executing the Primary Boot Loader (PBL) from on-board ROM.

    The MSM platform has the facility to force Secure Boot using the status of the FORCE_TRUSTED_BOOT Qfuse on-chip or a high-state BOOT_SCUR pin connected to GPIO95. In this mode the PBL verifies the signature of the SBL/OSBL before executing it,which verifies the REX/AMMS signature in the same way.

    (AMSS is the Qualcomm radio software (radio/baseband).

    (AMSS is the Advanced Mobile Subscriber Software that runs on the ARM9 CPU in our phones, it is a complete embedded OS using the L4 microkernel and controls the RF interface, power management and some other things)

    PBL reads the Device Boot Loader (DBL) from the first partition of the flash memory device.

    DBL is part of Qualcomm's SecureBoot, which uses cryptography to guarantee that the boot-loader images haven't been tampered with. DBL configures the Cryptographic Look-aside Processor (CLP), a dedicated cryptographic co-processor, and other hardware sufficient to load and execute the Secondary Boot Loader (SBL)

    The SBL, also known as the Operating System Boot Loader (OSBL), is loaded.
    It provides an Extensible Firmware Interface (EFI) -like environment for controlling the boot process.
    After doing more hardware configuration including UARTs and USB (for potential remote console connections to the monitor) it loads the Applications processor Secondary Boot Loader (APPSBL) on the ARM11 applications processor

    It then loads and executes the combined REX/AMSS
    Finally on the ARM9 REX executes the Advanced Mobile Subscriber Software (AMSS).

    After the SoC Vendor part is done the second part starts:

    faais6.jpg


    Now the OS gets loaded, and the real fun starts
    Nothing is unbreakable, but MS has 20 years NT kernel dev time in it (wp8* uses the same kernel as win) and made it damn bulletproof.

    the thing is that we are not even in the phone jet , No bootloader hack.
    JTAG is nice but only a few will ever do that , and nobody will hack the whole OS just for JTAG that actually no one will use.

    Some background information and data sheets:



    On the HTC 8x xboxmod found a hole, by flashing a "bad" uefi.
    the phone boots into Emergency Download mode ( because its a soft brick)
    This (only found on htc because it lets you flash unsigned files) "COULD" be a potential thing to explore !!!
    But as you can see this is pretty dangerous to do because you actually NEED to brick your phone to get there.
    next to know is that xboxmod needed to sent his phone to the repair center to repair it again !!!

    Code:
    • If RPM firmware image authentication/download fails, Krait SBL2 resets MSM and 
      enters into Boot ROM Emergency Download mode
    so the conclusion of this is :
    WE HAVE A LONG LONG WAY TO GO :D
    9
    Links to reg hack threads.

    1. Samsung ativ s - registry hacks
      http://forum.xda-developers.com/showthread.php?t=2434959
    2. WP8 Diagnostics and Hidden Apps Thread
      http://forum.xda-developers.com/showthread.php?t=2311626
    8
    Tools&App's

    1. (FFU) ImgMount Tool v.1.0.15
      http://forum.xda-developers.com/showthread.php?t=2066903
    2. [XAP] SamWP8 Tools. System tools for Samsung. Based on Diagnosis.
      http://forum.xda-developers.com/showthread.php?t=2435673
    3. [XAP] Interop Unlock Helper app for Samsung WP8 phones
      http://forum.xda-developers.com/showthread.php?t=2434884
    4. [PROXY] Everything at once
      http://forum.xda-developers.com/showthread.php?t=2400715
    5. [TOOLS] Samsung WP8 ROM extracting/packing Tools
      http://forum.xda-developers.com/showthread.php?t=2429741
    6. [XAP][SOURCE] Native Toast Notification Launcher
      http://forum.xda-developers.com/showthread.php?t=2398275
    7. [XAP][Source] Webserver v0.4.6 (bugfixes, MultiStrings, permissions, NativeAccess)
      http://forum.xda-developers.com/showthread.php?t=2355034
    8. [XAP][SOURCE] WP8 Registry Tools
      http://forum.xda-developers.com/showthread.php?t=2395480
    9. [EXE] [1.7.5] Store OEM Changer
      http://forum.xda-developers.com/showthread.php?t=2412713
    10. Nokia Developer - Remote Device Access (Diag Tools for Lumias)
      http://forum.xda-developers.com/showthread.php?t=2450684
    11. [XAP][01.10.2013] Update: PDF to Office V1.2 for interop-unlocked Samsung devices
      http://forum.xda-developers.com/showthread.php?t=2462257
    12. [XAP][TOOL] EXPERIMENTAL: WPH Tweaks
      http://forum.xda-developers.com/showthread.php?t=2486387
    5