Following is a detailed explaination of quacomm MSM Boot
Process
(thanks to the original author "TJ world")
hope it helps DEVs in order to bypass SecureBoot.
An examination of how the
Qualcomm Mobile Station Modem
(MSM) Snapdragon 7x30 system-on-
chip boot-straps the processors into
an operating system.
There are two processors in the
MSM 7x30, an ARM9 for the radio
and an ARM11 auxiliary applications
processor. Each processor has its
own JTAG and can be independently
controlled using it.
ARM9 Boot Process
The ARM9 is the primary processor.
It boots first, executing the Primary
Boot Loader (PBL) from on-board
ROM at 0xFFFF0000 .
The MSM platform has the facility to
force Secure Boot using the status of
the FORCE_TRUSTED_BOOT Qfuse
on-chip or a high-state BOOT_SCUR
pin connected to GPIO95. In this
mode the PBL verifies the signature
of the SBL/OSBL before executing
it,which verifies the REX/AMMS
signature in the same way.
After some hardware initialisation the
PBL reads the Device Boot Loader
(DBL) from the first partition of the
flash memory device (In Linux,
mmcblk0p1).
DBL is part of Qualcomm's
SecureBoot, which uses
cryptography to guarantee that the
boot-loader images haven't been
tampered with. DBL configures the
Cryptographic Look-aside Processor
(CLP), a dedicated cryptographic co-
processor, and other hardware
sufficient to load and execute the
Secondary Boot Loader (SBL) from a
Flash memory device on EBI2
(External Bus Interface 2) from
partition 3 (Linux mmcblk0p3).
The SBL, also known as the
Operating System Boot Loader
(OSBL), is loaded into memory at
0x8000000 (IMEM - Internal Memory,
the MSM7230 package-on-package
(PoP) RAM). This is the ARM9
Monitor (AMON). It provides an
Extensible Firmware Interface (EFI) -
like environment for controlling the
boot process. After doing more
hardware configuration including
UARTs and USB (for potential remote
console connections to the monitor)
it loads the Applications processor
Secondary Boot Loader (APPSBL
a.k.a. hboot) on the ARM11
applications processor from partition
18 (Linux mmcblk0p18) into memory
@ 0x8D000000 virtual, 0x00000000
physical.
It then loads and executes the
combined REX/AMSS from partition
5 (Linux mmcblk0p5). The image
contains the REX (Real-time
EXecutive) which is an L4A
Pistachio embedded micro-kernel
and Iguana operating system
combination, with extensive
Qualcomm and HTC modifications
and extensions.
REX is responsible for loading the
firmware into the ancillary micro-
controller (microP), digital signal
processor and voice processor and
initialising them. It runs in Security
Domain 0 (SD0).
When the ARM11 starts REX
unloads/disconnects its eMMC driver
and from then on relies on remote
procedure calls (RPC) via shared
memory (SMEM) to the ARM11
application processor to read and
write the eMMC. On the ARM11 side
the Linux operating system uses the
rmt_storage (remote storage) driver
to handle such requests.
Finally on the ARM9 REX executes
the Advanced Mobile Subscriber
Software (AMSS). AMSS runs in
Security Domain 1 (SD1).
ARM11 Boot Process
The ARM9 running REX loads the
eMMC "hboot" partition into memory
at 0x8D00000 (virtual) and starts the
ARM11 auxiliary applications
processor executing at this location.
It runs in Security Domain 3 (SD3).
The core of the boot-loader can be
found in the Android source-code
repository in the platform/bootable/
bootloader/legacy.git project. This
source-code maps well to current
hboot images when they are reverse-
engineered; allowing the libc and
core functions and structures to be
identified.
What about grand 2 SM-G7102? Can u help on this phone its as it is also qualcomm. But bootstrap or unlockbootloader required... still not available..
Sent from my SM-G7102 using Tapatalk
i am currently working on the Main SBL only
but what i get is a bunch of useless Hashes!
http://forum.xda-developers.com/showthread.php?t=2666183
Check this out and also u can contact this developer he has already developer kernel for grand2
Sent from my SM-G7102 using Tapatalk
manan001 said:
http://forum.xda-developers.com/showthread.php?t=2666183
Check this out and also u can contact this developer he has already developer kernel for grand2
Sent from my SM-G7102 using Tapatalk
Click to expand...
Click to collapse
actually i know how kernel works,
but the thing is that how do i edit the assembly code in primary registers in order to directly skip the verification which is done by boot image(kernel)
PM Hashcode or dorimanx
Galaxy grand2 SM-G7102
first let me try by my own..
if no progress is done then i'll surely contact them
vrushabh sutar said:
first let me try by my own..
if no progress is done then i'll surely contact them
Click to expand...
Click to collapse
check this..
TripRex is working on stock kernel you can take his help to bulid one..
http://forum.xda-developers.com/showpost.php?p=51549344&postcount=17
bro any progress?
hmm
i've checked all the Memory offsets but found nothing different
Follwoing were the partitions:-
SBL
AMSS
QSCBL (i think we may do something of this but i am nt sure..)
AP
CSC
SYSTEM
CACHE
USRDATA
RAM
EEPROM
Related
Qualcomm RTOS AMSS :
http://read.pudn.com/downloads155/doc/686659/Rex/80-24897-1.pdf
http://read.pudn.com/downloads155/doc/686659/Rex/80-V0255-1.pdf
http://read.pudn.com/downloads155/doc/686659/Rex/Rex_Reference.pdf
http://read.pudn.com/downloads137/doc/comm/585430/Rex.ppt
Reverse engineering Qualcomm RTOS :
28C3: Reverse engineering a Qualcomm baseband
http://events.ccc.de/congress/2011/Fahrplan/events/4735.en.html
http://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf
https://www.sstic.org/media/SSTIC20...t_dbogage_dun_baseband_qualcomm-delugre_1.pdf (French)
https://cryptolux.org/media/hack.lu-aybbabtu.pdf
http://reverse.put.as/wp-content/uploads/2011/06/basebandplayground-luismiras.pdf
Miasm is a a free and open source (GPLv2) reverse engineering framework. Miasm aims at analyzing/modifying/generating binary programs. Here is a non exhausting list of features:
opening/modifying/generating PE/ELF 32/64 le/be using Elfesteem
Assembling/Disassembling ia32/ppc/arm
Representing assembly semantic using intermediate language
Emulating using jit (dynamic code analysis, unpacking, ...)
Expression simplification for automatic de-obfuscation
Graphic disassembler using Grandalf
http://code.google.com/p/miasm/
MSM7200 software manual :
http://read.pudn.com/downloads149/doc/project/643560/MSM7200.pdf
Qualcomm MSM Debugger :
http://code.google.com/p/qcombbdbg/
Information about the design and implementation of the L4/AMSS system in Qualcomm basebands :
Git with some source OKL4 for Ida
http://code.google.com/p/docl4amss/wiki/Main
http://code.google.com/p/docl4amss/wiki/OkL4
Qualcomm Android and RIL Linux Data :
On update Translate...
http://wenku.baidu.com/view/412c05252f60ddccda38a081.html###
Qualcomm AMSS Source :
https://www.codeaurora.org/git/proj...8800744c99f287f77a8ef/show/AMSS/products/7x30
Update
Enjoy !!!
Update
dumb question
Call me dumb, but might this be important for the development of the modem?
Do you think that these are relevant to modems that are dual cdma/umts etc or is strictly one radio CDMA documentation?
Yesterday I discovered a very interesting source release from Samsung: GT-S5830G_GB_Opensource.zip
Normally, there is a shared Samsung source release for the msm7k range of devices (Ace, Mini, Callisto, Beni, Gio; there is also partial support included for my GT-I5500/Europa, but I adapted the source to properly support my phone). All of these devices usually depend on Samsung's proprietary FSR (Flex Sector Remapper) drivers in order to access the flash memory, which are taken from the stock ROMs, but our dependence on this driver locks us into the 2.6.35 kernel since we don't have access to the driver source.
The new source that I found for the GT-S5830G model, however, appears to contain modifications for the purpose of transitioning from Samsung's proprietary FSR driver to the open source MTD (via msm_nand) driver. If this can work correctly, using this driver would be much preferred over the proprietary Samsung stuff.
Here's the source that I uploaded to github: https://github.com/psyke83/android_kernel_samsung_msm/tree/purenand
Some observations that I have made, keeping in mind that I'm testing on my GT-I5500:
There are two separate configs for the cooper rev03 (Galaxy Ace): the standard defconfig that uses fsr/rfs, and a "purenand" config that uses the mtd/yaffs2 drivers instead of fsr/rfs. In other words, it's using the open drivers for flash access. Here is the diff: https://gist.github.com/3365123
The dpram driver (Samsung's driver for communication with baseband, used by RIL) is patched to support MTD instead of BML when the proper config is set.
The drivers/mtd/devices/msm_nand.c driver is modified by Samsung, but they applied their patches to an older revision of msm_nand.c from Froyo. Here is the diff when comparing this file vs the Froyo revision, so you can see more clearly the changes: https://gist.github.com/3365161
By default, the msm_nand.c driver causes the kernel to hang on my device (this is true for both this source and the older 2.6.35 Samsung source not based on purenand). I have isolated the hang to the flash_onfi_probe function.
As you can see here, Samsung added code to bypass this function on the Cooper board, and use the secondary detection method only. If I include my board to this ifdef block, it solves the issue with the kernel hanging on my device. I also need to patch some checks in the onenand detection, because the driver explicitly looks for onenand devices with a device_id of 0x40 and num_of_buffers as 0x201, but the chip on the GT-I5500 is different (device_id is 0x50, num_of_buffers is 0x101). This patch solves these problems: https://gist.github.com/3365222
Here is a dmesg log from my device after patching the code: https://gist.github.com/3360727. For comparison purposes, look at the block mapping that the fsr driver reports for my device when using the BML mapping: https://github.com/psyke83/android_device_samsung_galaxy5/blob/gingerbread/BoardConfig.mk#L53
As you can see, the partitions names and order detection is correct for the msm_nand driver, but the address mappings are exactly half of what they are supposed to be (e.g. the first partition, mibib, should range from 0x00000000-0x00180000, but the mtd driver detects the memory range as 0x00000000-0x000C0000.
If I try to perform a "nandump -f /sdcard/cache.img /dev/mtd/mtd13", there are no obvious errors in the dmesg log, but the tool will dump the cache partition until the sd card becomes full (over 300mb in my case, but the real /cache partition is only 25MB), and will then output "nanddump: short write". The resulting dump will be filled with 0xFF when examined with a hex editor (even though I'm sure that the /cache partition is not blank in reality).
These are my findings so far. I'd appreciate any kernel hackers to help me out. If we can crack this problem and get open onenand drivers working, then our devices will no longer be locked to any specific kernel release. If you know any developers for the Samsung devices I mentioned at the beginning of the post, or anyone else who may be able to help, please direct them to this thread. Thanks!
Reserved for future use
I have also posted this topic on the MadTeam forum, and posted a lot of further details. Please see: http://madteam.co/forum/development-8/(devs-only)-mtdonenand-driver-development/
Post this on General Discussion, this section is inactive
Hi everyone,
I am writing this post because I need help for clarifying some aspects of the radio interface layer.
I know that the two main components of the RIL stack are RILD (which interfaces the Java part with the low-level hardware) and vendor-RIL (which interfaces RILD with the modem). Both of them have loops that are used to capture and analyze new commands of events coming from other layers. These loops are the rild event loop, which handles requests from upper and lower layers of Android, and vendor reader loop, which handles the commands from and to the modem. However, I am not 100% sure whether these loops are polling based (i.e., looping all the time even when there are no new data to process) or they are triggered only when a new data or command is received (i.e., interrupt based). At first I thought that it is polling based because of the "loop until 2012 (the end of the world)" in slide number 12 in the presentation "Android RIL - Radio Interface Layer" available here : http://www.slideshare.net/leafjohn/ril-and-android-telephony?related=1 . I also think that the maintenance of the IPC socket of communication between RILD and RILJ (the java part of the RIL stack) to allow RILD and RILJ to exchange communications and data is polling based (it loops even when there is nothing to process).
In summary, I would really like your opinion to clarify the following questions:
1) Is the exchange of data between the baseband processor and the application processor interrupt based or polling based?
In practice, is the application processor polling regularly the port of communication with the baseband to check for the presence of new commands from the baseband, or the application processor is woken up by some sort of interrupt generated by the baseband processor as soon as the baseband has to communicate some new commands?
2) how the vendor reader loop detects the presence of a new unsolicited command? Is the vendor reader loop running even when there are no new commands or it is started only in the presence of a new unsolicited command?
In the case in which the reader loop is started only when a new unsolicited command is detected, what component or process starts this vendor reader loop?
3) is the rild event loop running all the time to check whether some events have been detected by the vendor RIL or it runs only when the vendor RIL adds a new event in the event queue of RILD?
In the case in which the event loop is started only when a new event has been added to the event queue, what component or process starts this event loop?
4) How RILD maintains the communication sockets with the java part of the RIL stack (RILJ)? Are they opened only when there are new data to exchange or they are maintained open all the time?
Thanks I a lot for any information and help you can give me. I really appreciate it.
Hello all,
I have recevied an old tablet "goClever i102 ( Airis Kira N10020) and it is slow.
Here are it's specifications:
• 10" Wide TFT (1024x600)
• ARM11 up to 1 GHz Processor
• Memory 512 MB DDR2
• Storage Flash 4 GB
• WLAN - LAN 10/100
• mini HDMI - Web-Cam - 4x USB
• micro SD/SD-HC Card Reader
• Dimensions 246.6 x 172.7 x 24.5 mm.
• Weight ~ 0.90 Kg.
• Android 2.3 OS
The manufacturer's page for the device:
http://www.airissupport.com/SupportHome2.aspx?Codigo=N10020
Here are some aditional informations I gathered by openning it:
Processor
========
Infotmic imapx210bm1-80
pcc265 oop-1
1133
Stuff written on the main board
========================
pc1051
ver.1.2
2011/12/14
s-m
940-0
e305905
Some integraded circuits I could not identify
==================================
4x Samsung k4t1g164qf-bce7
Hynix Nand Flash Memory
====================
H27UBG8T2ATR-BC
PARALLEL 8M FLASH T
====================
MCXMX29LV800CBTI-70G
I rooted the device and I posted the instructions here:
http://forum.xda-developers.com/android/help/rooting-goclever-i102-n10020-t3119091
I would like to install on it Arch linux or some other linux core.
I set up a virtual machine with linux, installed a cross-compiler and the toolchain to build for ARMv6 processors and then I tried to build a bootloaded and a kernel for the tablet. It succesfuly built the kernel, just to test the toolchain ,but soon I realized that I could not configure u-boot for this specific processor. I could not find any pre-made configurations files for it. I don't have much knowledge about how to build a kernel or a bootloader.
Could anyone help me regarding this issue or give some instructions how to manually configure u-boot?
PS: I tried to boot on some RasberryPi softwares that I could find on the internet but it did not boot. Also I tried some linux software for the tablets Airis Kira N7000 / N8000 / N9000 that I found here: https://kirbian.wordpress.com/descargas/airis-kira-n7000-n8000-n9000/ ,and booted the kernel for a very short time(it displayed something like uzImage.bin and a loading bar), but then the screen went black with the cursor blinking on the left. After this it remains in this state, nothing loads or changes. After I reboot it, it loads the stock rom (Android 2.3.3)...
Thank you in advance!
Hi everyone:
I install RemixOS on hard drive following some directions found on XDA (http://forum.xda-developers.com/remix/remix-os/question-install-remix-dedicated-hdd-t3316527) to installs the system directly to hard drive without dual boot.
What i did was the following: After pressing TAB on Resident mode, i removed everything after "quiet". Then i put INSTALL=1 and then format to ext4 to use all the disk space.
The installer finalizes without errors, but when i restart and choose normal init at GRUB, the system stucks on flashing screen, then never enters to graphic env.
The things changes when i boot in debug mode. The system boot up completely but to console. I know how to use Linux, but this distro its very different to an standard one, so i need some directions to diagnose and solve the problem.
In debug mode, when i grep dmesg for error or warning nothing is found. All the devices are detected and aparently installed.
The only thing that got my attention when i installed Remix was the following messages:
- intel_powerclamp: Intel powerclamp does not run on family 6 model 15
- intel_rapl: driver does not support CPU family 6 model 15
But these msgs i suppose that are normal because is an old CPU that not support all the features that the driver does, right?
Anyway, these are the specs of the intallation:
- RemixOS version: B2016071501.
- CPU: Intel Dual Core E2160 1.68Ghz
- MB: Foxconn 45CMX
- GPU: Intel integrated on MB. I don't know the exact model
- HDD: 60Gb SATA
Any ideas to solve this problem?
Many thanks in advance.