The opening of the Wave bootloader through FOTA

Search This thread

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
Hi everyone,

Many people have complained about the Wave bootloader being closed and that being major problem for the development of alternative OS.

I had a closer look at the booting process and would like to contribute my observations to the community. I shall have little time (next to none) to work on it further, so I'd like someone to take it from this point.

OK, that said I can introduce you to what I found:
The booting process starts with initialization of the hardware, interrupts, etc. and gets to the selection of the booting mode. This is the place that checks the key combination, JIG and possible problems. Basing on this the bootloader will run the phone in either normal boot mode, go to dowload or upload mode.

Normal boot shall start with checking the FOTA module. If you already tried flashing your phone you probably noticed that some versions of the FW include a file with *.fota extension. The file is unencrypted and not signed. It's about 2MB, but the bootloader reserves exactly 3MB for it. FOTA is intended to be used for firmware update over the air, but I know nothing about it being used for Wave. You may read something about the design and get a concept of that process here:
http://www.freepatentsonline.com/pdfb/documents/usapp/patent_pdf/2010/017/US20100175062/pdf/US20100175062.pdf
Basically, it is possible that boot would need to perform some actions that are a result of FOTA. Therefore, during the normal boot it reads the FOTA module from the NAND (0xC600000) and checks whether the module exists and is in the right version. That is done by checking a magic (text "FOTA_ENGINE_VER_INFO_2.0") under the 0xC600100. If it is found missing or incorrect you will end up with the message "FOTA Engine is not intalled" or "FOTA Engine version mismatch" on the screen and you will need to restart your phone in the download mode to load it.
After that, the code checks for additional magic values at 0xC880000. In case it is "BPDZ" it jumps to the code in the FOTA file. The contents of the file is loaded to RAM location 0x43800000 and executed from there.

I've made an experiment as a proof-of-concept and have a confirmed that the above is true and valid information. I crafted a FOTA file longer that the usual attached (to be bigger than 2,5 MB). In case you want to repeat that, remember that last 1024 bytes are not loaded and insert additional data before that. My file had two magic values:
"FOTA_ENGINE_VER_INFO_2.0" at 0x100 offset and "BPDZ" at 0x280000. At offset 0 I've placed my code that started with several NOPs (just in case) and code that called original bootloader functions to display text on the screen.
After loading the file with Multiloader, the message appeared on the screen as expected. Reloading of the original FOTA file made the phone boot normally.

The discovery opens wide area of possibilities starting with replacing bootloader without signing it or using JTAG, multiboot, etc.
As the original bootloader is in the memory as well, we can use it, but I would not recommend that approach as we would need additional version control and changing original routines and data addresses for each version.

OK. I hope I made it clear enough to understand, but I can clarify what I might have omitted in the description. The idea is that someone here would pick that up from where I finished and develop a decent loader leaving the original files (apart from FOTA) untouched.

Best Regards,
mijoma


-----------------------------------
Edit: Added proof-of-concept FOTA file (based on XXJL2 FOTA). Use wisely - remember you take full responsibility for what you load on your phone. Works ONLY with XXJL2 bootloader.
 

Attachments

  • bplib_S8500OpEuro_XXJL2_mijoma_mod2.zip
    528.5 KB · Views: 2,674
Last edited:

adfree

Senior Member
Jun 14, 2008
9,522
5,638
Samsung Galaxy Watch 4
My little knowledge/experiments...

1.
Before I NEVER updated manually FOTA. I never seen any Errors like other user... with FOTA not installed or something similar.
Maybe reason is, because my testdevice has NO active SIM card, so no network...

2.
I've tested examples from mijoma. On XXJL2 Boot...
Simple only flash FOTA with Multiloader.
At your own risk. Not all sideeffects known.
I had NO problems. :cool:

3.
Results... I can't see any special after Flashing. But I can go through internal menu, see Pictures.
http://forum.xda-developers.com/showthread.php?t=906966
Normally I have more messages... but with modified FOTA Wave restarts. So the way is correct. :cool:

4.
Delta files are sometimes in Firmware also with Boot... I will add next Link to what I found about Delta files...
Delta Files are part of FOTA concept...

5.
Depend on Firmware... Software update... but sometimes is this point removed and I can't login, because no network...

In other words, I have to start FOTA over this internal menu to see that it is doing something. :cool:

Best Regards
 

Attachments

  • FOTA1.jpg
    FOTA1.jpg
    91.8 KB · Views: 2,264
  • FOTA2.jpg
    FOTA2.jpg
    46.9 KB · Views: 1,507
  • FOTA3.jpg
    FOTA3.jpg
    64.1 KB · Views: 1,519
  • FOTA4.jpg
    FOTA4.jpg
    38.6 KB · Views: 1,661

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
@adfree
I think you are testing the previous version. Could you confirm you are using mod version 2?

Best Regards,
mijoma
 
  • Like
Reactions: adfree

adfree

Senior Member
Jun 14, 2008
9,522
5,638
Samsung Galaxy Watch 4
bplib_S8500OpEuro_XXJL2_mijoma_mod2.zip
:eek:

You are right, not tested yet. Only prior Version.
I will test today mod2 and report later.

I have to flash back to XXJL2... as I play actual on Orange JE7.

Thank you.

Best Regards
 

mkz14

Senior Member
Feb 17, 2011
268
63
Amazing job dude. It seems like this could help us to change booting stuff
 

adfree

Senior Member
Jun 14, 2008
9,522
5,638
Samsung Galaxy Watch 4
:cool:

I can confirm it works. :cool:

Now I see the same like on this Video:
http://www.youtube.com/watch?v=A35k3E1F1O4

Thanx jedil1 for Link.


Sorry mijoma.

I have no idea where I made mistake... :eek:

This time my first Test was Full Flash (without Boot)...
Second only FOTA and it works too... Original, then yours...

If you flash "Full", then you interrupt the Index process at Start, where Blue Screen shows...

Best Regards
 

oleg_k

Retired Recognized Developer
Dec 19, 2005
183
620
Moscow
Great job!!!
And my opinion,this is a single way to starting full working android on s8500,
because we need to initialize the modem at bootloader stage for fuel gauge.
i temporary use modem from m130k without fuel gauge.
 

adfree

Senior Member
Jun 14, 2008
9,522
5,638
Samsung Galaxy Watch 4
Few Firmware packages have Delta files:
Code:
delta.bin
delta_AP.bin
delta_CFS.bin
delta_CP.bin
delta_CRSRC.bin
delta_FS.bin
delta_LFS_01.bin
delta_LFS_02.bin
delta_RSRC2.bin
Around 16 MB...

If I use Google for "Delta Files FOTA"... then I can also find this:
http://www.faqs.org/patents/app/20100175062

Theory/ideas :D
What we also can do with this Security hole:
- maybe "move" folder System to SD or internal Memory, to have no more problems with RC1 :D
- maybe someone is smart enough, to integrate Dump Function for Dump whole RAM or moviNAND... like JTAG

See Upload function...

Best Regards
 
  • Like
Reactions: lowgitek

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
- maybe someone is smart enough, to integrate Dump Function for Dump whole RAM or moviNAND... like JTAG

See Upload function...

Best Regards

I think that Samsung have thought of that already. I had not analysed that as so far, but there's UPLOAD option in the bootloader (handled by a bit separate code from DLOAD). I haven't got the wave, so I never tested it.
You can make a patch on my mod and place a direct jump to that code. I've made a quick patch so you can try it out. I don't know whether there's any software that can handle that mode. I've made a look and there are several funny commands that can be used:
"PrEaMbLe"
"AcKnOwLeDgMeNt"
"PoStAmBlE"
"PoWeRdOwN"
"DaTaXfEr"

Remember that this time we're dealing with some real functionality of the bootloader and that may have some consequences so use on your own risk.

Best Regards,
mijoma

----------------------
Edit: Sorry if anyone tried loading it. By mistake I've used addressing from XXJEE. I've changed the name to represent what it was and added a correct file for XXJL2 bootloader
 

Attachments

  • bplib_S8500OpEuro_XXJL2_mijoma_upload2.zip
    528.5 KB · Views: 169
  • bplib_S8500OpEuro_XXJEE_mijoma_upload.zip
    528.4 KB · Views: 151
Last edited:
  • Like
Reactions: adfree

adfree

Senior Member
Jun 14, 2008
9,522
5,638
Samsung Galaxy Watch 4
Upload to PC is in combination with Debug Mode higher then Low...
After you see Bluescreen with very interesting infos you can press Button, then Upload to PC on Screen. But I don't know how to catch Data, as no COM Port is visible.

Btw...
Now I know where I made big mistake.
First tests I used XEKC2 Firmware with XXJL2 Bootloader, as I thought its only Bootloader related. Sorry. :eek:
My fault. :)

So there must be more then Bootloader from XXJL2 in handset, to run successfully FOTA Mod2.

About new Mod with Upload, I will investigate this time better, before I'll report.

Thank you.

Best Regards
 

mkz14

Senior Member
Feb 17, 2011
268
63
I have my paypal account limited but in 1 month I'll b able to donate maybe 20€
 

sabianadmin

Senior Member
Jul 30, 2009
566
183
Straffan
The question is more would you like a wave for you're efforts as otherwise you really won't be able to benefit from you're own work when we have meego, android, webOS etc booting on the Wave. Theres no extra pressure, sure you have already done the trickiest part of the work. :)
 

mijoma

Retired Recognized Developer
Feb 5, 2011
249
393
Warsaw
No, I'm being completely honest here. I find this rather a weird form of relax than work.
Wave is a nice phone and I think I'm going to get myself one, but I don't expect a gift.
 
  • Like
Reactions: adfree and lowgitek

Top Liked Posts

  • There are no posts matching your filters.
  • 22
    Hi everyone,

    Many people have complained about the Wave bootloader being closed and that being major problem for the development of alternative OS.

    I had a closer look at the booting process and would like to contribute my observations to the community. I shall have little time (next to none) to work on it further, so I'd like someone to take it from this point.

    OK, that said I can introduce you to what I found:
    The booting process starts with initialization of the hardware, interrupts, etc. and gets to the selection of the booting mode. This is the place that checks the key combination, JIG and possible problems. Basing on this the bootloader will run the phone in either normal boot mode, go to dowload or upload mode.

    Normal boot shall start with checking the FOTA module. If you already tried flashing your phone you probably noticed that some versions of the FW include a file with *.fota extension. The file is unencrypted and not signed. It's about 2MB, but the bootloader reserves exactly 3MB for it. FOTA is intended to be used for firmware update over the air, but I know nothing about it being used for Wave. You may read something about the design and get a concept of that process here:
    http://www.freepatentsonline.com/pdfb/documents/usapp/patent_pdf/2010/017/US20100175062/pdf/US20100175062.pdf
    Basically, it is possible that boot would need to perform some actions that are a result of FOTA. Therefore, during the normal boot it reads the FOTA module from the NAND (0xC600000) and checks whether the module exists and is in the right version. That is done by checking a magic (text "FOTA_ENGINE_VER_INFO_2.0") under the 0xC600100. If it is found missing or incorrect you will end up with the message "FOTA Engine is not intalled" or "FOTA Engine version mismatch" on the screen and you will need to restart your phone in the download mode to load it.
    After that, the code checks for additional magic values at 0xC880000. In case it is "BPDZ" it jumps to the code in the FOTA file. The contents of the file is loaded to RAM location 0x43800000 and executed from there.

    I've made an experiment as a proof-of-concept and have a confirmed that the above is true and valid information. I crafted a FOTA file longer that the usual attached (to be bigger than 2,5 MB). In case you want to repeat that, remember that last 1024 bytes are not loaded and insert additional data before that. My file had two magic values:
    "FOTA_ENGINE_VER_INFO_2.0" at 0x100 offset and "BPDZ" at 0x280000. At offset 0 I've placed my code that started with several NOPs (just in case) and code that called original bootloader functions to display text on the screen.
    After loading the file with Multiloader, the message appeared on the screen as expected. Reloading of the original FOTA file made the phone boot normally.

    The discovery opens wide area of possibilities starting with replacing bootloader without signing it or using JTAG, multiboot, etc.
    As the original bootloader is in the memory as well, we can use it, but I would not recommend that approach as we would need additional version control and changing original routines and data addresses for each version.

    OK. I hope I made it clear enough to understand, but I can clarify what I might have omitted in the description. The idea is that someone here would pick that up from where I finished and develop a decent loader leaving the original files (apart from FOTA) untouched.

    Best Regards,
    mijoma


    -----------------------------------
    Edit: Added proof-of-concept FOTA file (based on XXJL2 FOTA). Use wisely - remember you take full responsibility for what you load on your phone. Works ONLY with XXJL2 bootloader.
    10
    Thanks guys, but I don't think it's necessary.
    I do it for fun - don't need any other gratification. Wave got me interested with the effort the manufacturer put trying to keep it closed. I don't need a handset to disassemble the bootloader.
    9
    mijoma, along with Oleg_k you are working to complete the project for the bada and android research to launch the s8500 by mode FOTA? would like to ask what progress?
    ps: sorry for the stupid question of my little
    I use google translate

    Quite honestly, I haven't got enough time for this. I've done attempts to mount the SD through FOTA, but with little success. It's not that hard, but seems I'm missing some detail.

    As for the Android porting project I extracted some LCD handling code and made some modifications to SGS bootloader to match the GPIO in Wave, but that's all.

    In the first post of the thread I've already stated I hope somebody can take if from here. The method is served on a plate - has almost no limitations - full memory and devices access, original BL loaded in DRAM (may think about patching). All you need is to write some pieces of the code and test that. What I don't get is how Samsung Jet community gathered bright enough guys to do all that stuff and Wave owners wait for somebody else do that job for them offering donations for everybody asking, even without the skills. You won't ever finish your porting projects if you're planning to base them on 2-3 guys. Better find yourselves some reverse engineers and developers.

    I've helped as I could and I'm already reaching my time limit for next several months.
    9
    Then, obviously i did something wrong, done manual single-byte conversion, works well too. :)

    Mwahahah!
    Sorry if my code looks like cow's ****, it's my first own asm code. :D

    Remember to include proper addresses and modify multiloader header if you want to test it on S8500.

    //edit:
    Okay, any1 wanted to do real file explorer and manager for Wave? Touchscreen handling and some ops left todo. :D

    //edit2:
    SD Card doesn't seem to be mounted by default, so a year of struggles ahead!
    9
    After a week of research I found it!
    We haven't loaded PBL as we thought it is unnecessary. But it has got very important role. It does complete reinitialization of DDR controller MPC0, mapping chip0 to 0x30 address space (by default it is under 0x20) and chip1 under 0x40 (it does some kind of switching, because before that chip1 is being controlled by MPC1 as chip0)

    For now I've copied parts of PBL code to FOTA, now waiting for Serg to do some tests. Of course I'd be very surprised if that would be enough to boot kernel, but we're closer for sure!