please remove this thread

Status
Not open for further replies.
Search This thread

jerpelea

Senior Recognized Developer
Nov 7, 2006
7,472
40,171
Lund
sites.google.com
Progrss Sumary

1.dumped system.sin - ok
2.dumped root.sin - ok
3.dumped recovery.sin - ok
4.analise loader.sin - ok
5.created custom rom - ok (just recontructed dumped se rom)
6.flash tools for signed files - ok (now you can unbrick your device)
7.investigate recovery.sin - ok (is almost same as boot.sin)
8.developer loader.sin - searching (esential for unsigned files)
9.flash unsigned files - no (esential for root and custom roms)





Tested
1.all key combinations at boot
-left key during boot - safe mode
-right key during boot - 5 seconds into flash mode
2.service menu - in lock screen Menu, Back, Back, Menu, Back, Menu, Menu, Back
3.flashed boot.sin as recovery.sin - phone boots normaly and in safe mode
4.flashed broken recovery.sin - phone does not boot(! appears in yellow triangle)
 
Last edited:

jerpelea

Senior Recognized Developer
Nov 7, 2006
7,472
40,171
Lund
sites.google.com
tutorials & scripts

rip_loader_cert.sh
dd if=loader.sin bs=1 skip=54 count=446 > S1_Loader_Root_f851.cer
dd if=loader.sin bs=1 skip=503 count=128 > loader.hashRSA
dd if=loader.sin bs=1 skip=631 > loader.bin

extract-ramdisk.sh
dd if=boot.sin bs=1 skip=4916769>ramdisk.gz
mkdir boot.sin-ramdisk
cd boot.sin-ramdisk
gzip -d -c ../ramdisk.gz | cpio -i


rip_boot_cert.sh
dd if=boot.sin bs=1 skip=1272 count=438 > S1_SW_Root_ac120.cer
dd if=boot.sin bs=1 skip=1713 count=128 > boot.hashRSA
openssl asn1parse -in S1_SW_Root_ac120.cer -inform der
openssl x509 -in S1_SW_Root_ac120.cer -inform der -text
openssl x509 -in S1_SW_Root_ac120.cer -inform der -pubkey -noout > S1_SW_Root_ac120.pub
openssl rsautl -in boot.hashRSA -out boot.hash -inkey S1_SW_Root_ac120.pub -verify -pubin
openssl asn1parse -in boot.hash -inform der

rip_boot_cert2.sh
dd if=boot.sin bs=1 skip=2088 count=438 > S1_SW_Root_ac120b.cer
openssl asn1parse -in S1_SW_Root_ac120b.cer -inform der
openssl x509 -in S1_SW_Root_ac120b.cer -inform der -text
openssl x509 -in S1_SW_Root_ac120b.cer -inform der -pubkey -noout > S1_SW_Root_ac120b.pub
 
Last edited:

krazyd007

Member
Sep 11, 2009
26
3
So flashing one of these roms with setool should work and therefore give us root access if so i will do it now.
 

mobilezonerm

Senior Member
Dec 5, 2007
53
13
no krazyd007 those are original from decrypt from SEUS

Will wait for your next release jerpelea keep your work on.
I will try flash your mod until my X10 root!

Cheer!

i will also wait for a working boot.sin :)
(i think that the problem is in internals flash file signature ex; security hash,crc control or a bit mismatch, if u know the engine of setool it flash the firmware,original and decrypted, whit online signature, but i hope that also every single file on firmware has his "signature")
 

instigator008

Senior Member
Jan 23, 2010
719
40
Mississauga
Re: DECRYPTED X10 ROMS and TUTORIALS - DEVELOPPMENT ONLY

What I take away from all this is that nothing has actually been successfully rooted. Please correct me if I am wrong. Twitter and blogs are going nuts with "x10 rooted" stories but it looks to me that that claim is premature at best. No disrespect meant just trying to clarify.
 

ceyad

Senior Member
Feb 21, 2010
58
6
cirebon
also waiting for working boot.sin

just info:
setool update v1.07
- memory consumption decreased while flashing x10 phones.:)
 

lifeflayer

Senior Member
Aug 19, 2009
166
5
Hmm so it ended up being 1024bit RSA instead of 2048bit RSA. Will it do the bruteforce attack when you flash like the old old SE-TOOLS with k790a era phones?
 

jossgray

Member
Mar 28, 2009
30
0
Hmm so it ended up being 1024bit RSA instead of 2048bit RSA. Will it do the bruteforce attack when you flash like the old old SE-TOOLS with k790a era phones?

i dont think so, the only known method to crack 1024bit RSA is to have access to the system with the private key, and a big computer cluster.
 

biktor_gj

Senior Member
Jan 25, 2008
1,408
7,006
It would take ages to bruteforce the signing...
I was wondering on another approach...

1) How does this things get the flash over the air? It can do software updates from the phone itself. Anyone, who hasn't debranded their phone (so it still updates through SEUS) could check where it goes and what does it get?
2) We still have the install server, drm inter process communication server, and some kernel modules running as root interacting with the userland (touchscreen, keyboard)... maybe there's a hole there and we haven't seen it? If we can get root access we can rip the entire flash chip to a file then find where to patch the bootloader so it doesn't need signing... anyone knows ARM asm?
 

jerpelea

Senior Recognized Developer
Nov 7, 2006
7,472
40,171
Lund
sites.google.com
It would take ages to bruteforce the signing...
I was wondering on another approach...

1) How does this things get the flash over the air? It can do software updates from the phone itself. Anyone, who hasn't debranded their phone (so it still updates through SEUS) could check where it goes and what does it get?
2) We still have the install server, drm inter process communication server, and some kernel modules running as root interacting with the userland (touchscreen, keyboard)... maybe there's a hole there and we haven't seen it? If we can get root access we can rip the entire flash chip to a file then find where to patch the bootloader so it doesn't need signing... anyone knows ARM asm?

can be done after we find jtag pins and we need 1000+ usd hardware
 
Status
Not open for further replies.

Top Liked Posts