please remove this thread

[jerpelea]

please remove this thread

 

[jerpelea]

please remove this thread

 

[jerpelea]

kernel source & tools

please remove this thread

 

[jerpelea]

Progrss Sumary

1.dumped system.sin - ok
2.dumped root.sin - ok
3.dumped recovery.sin - ok
4.analise loader.sin - ok
5.created custom rom - ok (just recontructed dumped se rom)
6.flash tools for signed files - ok (now you can unbrick your device)
7.investigate recovery.sin - ok (is almost same as boot.sin)
8.developer loader.sin - searching (esential for unsigned files)
9.flash unsigned files - no (esential for root and custom roms)





Tested
1.all key combinations at boot
-left key during boot - safe mode
-right key during boot - 5 seconds into flash mode
2.service menu - in lock screen Menu, Back, Back, Menu, Back, Menu, Menu, Back
3.flashed boot.sin as recovery.sin - phone boots normaly and in safe mode
4.flashed broken recovery.sin - phone does not boot(! appears in yellow triangle)

 

[jerpelea]

tutorials & scripts

rip_loader_cert.sh
dd if=loader.sin bs=1 skip=54 count=446 > S1_Loader_Root_f851.cer
dd if=loader.sin bs=1 skip=503 count=128 > loader.hashRSA
dd if=loader.sin bs=1 skip=631 > loader.bin

extract-ramdisk.sh
dd if=boot.sin bs=1 skip=4916769>ramdisk.gz
mkdir boot.sin-ramdisk
cd boot.sin-ramdisk
gzip -d -c ../ramdisk.gz | cpio -i


rip_boot_cert.sh
dd if=boot.sin bs=1 skip=1272 count=438 > S1_SW_Root_ac120.cer
dd if=boot.sin bs=1 skip=1713 count=128 > boot.hashRSA
openssl asn1parse -in S1_SW_Root_ac120.cer -inform der
openssl x509 -in S1_SW_Root_ac120.cer -inform der -text
openssl x509 -in S1_SW_Root_ac120.cer -inform der -pubkey -noout > S1_SW_Root_ac120.pub
openssl rsautl -in boot.hashRSA -out boot.hash -inkey S1_SW_Root_ac120.pub -verify -pubin
openssl asn1parse -in boot.hash -inform der

rip_boot_cert2.sh
dd if=boot.sin bs=1 skip=2088 count=438 > S1_SW_Root_ac120b.cer
openssl asn1parse -in S1_SW_Root_ac120b.cer -inform der
openssl x509 -in S1_SW_Root_ac120b.cer -inform der -text
openssl x509 -in S1_SW_Root_ac120b.cer -inform der -pubkey -noout > S1_SW_Root_ac120b.pub

 

[jerpelea]

LOGS

reserved for future use

 

[krazyd007]

So flashing one of these roms with setool should work and therefore give us root access if so i will do it now.

 

[funfobia]

So flashing one of these roms with setool should work and therefore give us root access if so i will do it now.

no krazyd007 those are original from decrypt from SEUS

Will wait for your next release jerpelea keep your work on.
I will try flash your mod until my X10 root!

Cheer!

 

[mobilezonerm]

no krazyd007 those are original from decrypt from SEUS

Will wait for your next release jerpelea keep your work on.
I will try flash your mod until my X10 root!

Cheer!

i will also wait for a working boot.sin
(i think that the problem is in internals flash file signature ex; security hash,crc control or a bit mismatch, if u know the engine of setool it flash the firmware,original and decrypted, whit online signature, but i hope that also every single file on firmware has his "signature")

 

[instigator008]

Re: DECRYPTED X10 ROMS and TUTORIALS - DEVELOPPMENT ONLY

What I take away from all this is that nothing has actually been successfully rooted. Please correct me if I am wrong. Twitter and blogs are going nuts with "x10 rooted" stories but it looks to me that that claim is premature at best. No disrespect meant just trying to clarify.

 

[ceyad]

also waiting for working boot.sin

just info:
setool update v1.07
- memory consumption decreased while flashing x10 phones.

 

[hoss_n2]

it seems that rooting is going far from us again

 

[krazyd007]

also waiting for working boot.sin

just info:
setool update v1.07
- memory consumption decreased while flashing x10 phones.

Yes but did you not read what he said in my topic.

 

[carinoxx]

when we will have an way to flash them for free

Thanks for your job Jerpelea...
Custom ROM are going to be multilanguage??

 

[jerpelea]

a lil info for you :d

 

[lifeflayer]

Hmm so it ended up being 1024bit RSA instead of 2048bit RSA. Will it do the bruteforce attack when you flash like the old old SE-TOOLS with k790a era phones?

 

[jerpelea]

a lil more info for you

 

[jossgray]

Hmm so it ended up being 1024bit RSA instead of 2048bit RSA. Will it do the bruteforce attack when you flash like the old old SE-TOOLS with k790a era phones?

i dont think so, the only known method to crack 1024bit RSA is to have access to the system with the private key, and a big computer cluster.

 

[biktor_gj]

It would take ages to bruteforce the signing...
I was wondering on another approach...

1) How does this things get the flash over the air? It can do software updates from the phone itself. Anyone, who hasn't debranded their phone (so it still updates through SEUS) could check where it goes and what does it get?
2) We still have the install server, drm inter process communication server, and some kernel modules running as root interacting with the userland (touchscreen, keyboard)... maybe there's a hole there and we haven't seen it? If we can get root access we can rip the entire flash chip to a file then find where to patch the bootloader so it doesn't need signing... anyone knows ARM asm?

 

[jerpelea]

It would take ages to bruteforce the signing...
I was wondering on another approach...

1) How does this things get the flash over the air? It can do software updates from the phone itself. Anyone, who hasn't debranded their phone (so it still updates through SEUS) could check where it goes and what does it get?
2) We still have the install server, drm inter process communication server, and some kernel modules running as root interacting with the userland (touchscreen, keyboard)... maybe there's a hole there and we haven't seen it? If we can get root access we can rip the entire flash chip to a file then find where to patch the bootloader so it doesn't need signing... anyone knows ARM asm?

can be done after we find jtag pins and we need 1000+ usd hardware