Hi guys,
I've got a pretty basic one for you. It's possible to dump the TrustZone and QSEE (Qualcomm Secure Extension Environment) logs. This may benefit the right people. No risk of danger or anything with this. It makes use of the debugfs, not sure if you need to have debug on HIGH (*#9900#, then select DEBUG LEVEL HIGH if it doesn't work.)
TZ Log:
Code:
cat /d/tzdbg/log
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
QSEE Log:
Code:
cat /d/tzdbg/qsee_log
Hopefully someone finds this useful.
Man, you always come up with goodies when least expected. Exactly what I was looking for. I was just diggin' through these binaries trying to understand what they do. What about the device /dev/qseecom ? Any idea how it is used?
Just wondering here but could these logs help out with anything such as unlocking the bootloader or anything else?
AngryManMLS said:
Just wondering here but could these logs help out with anything such as unlocking the bootloader or anything else?
Click to expand...
Click to collapse
Certainly. QSEE is the Qualcomm Secure Extension Environment. This is Qualcomm's TrustZone kernel. This kernel has secure memory where it can store information that is heavily protected. This is where secureboot configuration information is stored, including read/write to QFPROM (QFuses), eFuses (software fuses like Speed Bin for CPU scaling, yes they also have other useful functions), and the warranty 'fuse' which is located onboard the Snapdragon CPU (unlike Exynos where the warranty bit is on the RPMB of the eMMC.) This kernel has access to low level and secure hardware. It is my belief that this kernel operates on the Hexagon DSP by Qualcomm.
I was playing around with my Z3x JTAG box, and in order to do so I had to solder to the back of our mainboard. I decided to do a little analysis of the PBA, and found a third chip labeled 'ARM'. The Hexagon DSP chip is a roughly 600Mhz processor (I believe) with Secure World access. aside from the MDM9215 (CP) and APQ8064T (AP). This DSP chip is not secret, and is actually pretty cool IMO and efficient at what it does.
Can we just hack into this kernel? No, it's VERY difficult, and it was designed to be that way. People like Dan Rosenberg are very good at what they do, as he is a professional. However it is possible there are vulnerabilities or design flaws present, it's just a matter of analyzing the code and logic. This can be complicated and take a significant amount of time.
Anyways... using the following command after boot:
Code:
cat /d/tzdbg/log
You can see (usually):
Code:
Bam Devices pointer struct size : 24 bytes
tzbsp_secure_channel_key_gen status 0
Initializing PIL
QSEE version major=1, minor=2
TYPE = 0x0
FUSE ID: 0x0
IS_WRITE: 0x0
READ: QFPROM row data 0xf03 0x0
READ: Final masked val 0x0
tzbsp_es_is_activated: row_address=[B]0xfc4b81f8[/B].row_data[0]=[B]0x1[/B].row_data[1]=[B]0x4000000.[/B]
tzbsp_es_is_activated: row_address=[B]0xfc4b81f8[/B].row_data[0]=[B]0x1[/B].row_data[1]=[B]0x4000000.[/B]
global_tz_app_id 0x555, 0x0
global_tz_app_id 0x888, 0x0
global_tz_app_id 0x789, 0x0
global_tz_app_id 0xaaa, 0x0
global_tz_app_id 0x777, 0x0
The bold addresses are QFuse addresses. This fuse in particular is what I believe to be the OEM Config fuse chain. This has all of Samsung's configuration for Secure Boot and other odds and ends.
ryanbg said:
... I decided to do a little analysis of the PBA, and found a third chip labeled 'ARM'. The Hexagon DSP chip is a roughly 600Mhz processor (I believe) with Secure World access. aside from the MDM9215 (CP) and APQ8064T (AP).
Click to expand...
Click to collapse
What do you mean?
The DSP is not a "chip" is part of the dye of APQ and MDM SoC's, the APQ doesn't ahve a "modem" on dye, but that doesn't mean it doesn't have a DSP.
The 3rd chip you found, must be something else. Post a picture!
Remind what device you have there again?
Also, do you have a "true" /d/ device or is it symlinked to /sys/kernel/debug like it is on the 4.2.2 i9195. (I can't find such a directory, nor the log file, but I'm not done looking either.)
E:V:A said:
What do you mean?
The DSP is not a "chip" is part of the dye of APQ and MDM SoC's, the APQ doesn't ahve a "modem" on dye, but that doesn't mean it doesn't have a DSP.
The 3rd chip you found, must be something else. Post a picture!
Remind what device you have there again?
Also, do you have a "true" /d/ device or is it symlinked to /sys/kernel/debug like it is on the 4.2.2 i9195. (I can't find such a directory, nor the log file, but I'm not done looking either.)
Click to expand...
Click to collapse
It appears this third chip is actually the PMIC chip. This is on a Galaxy S4. I thought it was a true debugfs but I guess I'm not sure.
Thanks @ryanbg for the explanation on things. I've followed the KNOX discussion over in the dev area and now knowing what you posted it makes things a bit easier for me to understand going forward - I had an idea on things but needed clarifying in regards to how much this stuff effects the boot loader itself. I really hope this leads to unlocking or at least some kind of KEXEC solution since the NC2 leak might very well get us that.
Qualcomm Secure Execution Communicator driver
E:V:A said:
What about the device /dev/qseecom ? Any idea how it is used?
Click to expand...
Click to collapse
maybe that is well known, but..
there is driver code at 'classic' kernel souces;
for example: CAF ver.
Code:
config QSEECOM
tristate "Qualcomm Secure Execution Communicator driver"
help
Provides a communication interface between userspace and
Qualcomm Secure Execution Environment (QSEE) using Secure Channel
Manager (SCM) interface.
config QFP_FUSE
tristate "QFPROM Fuse Read/Write support"
help
This option enables device driver to read/write QFPROM
fuses. The ioctls provides the necessary interface
to the fuse block. Currently this is supported only
on FSM targets.
Click to expand...
Click to collapse
appr. files:
Code:
...
-rw-r--r-- qfp_fuse.c 9430 log stats plain
...
-rw-r--r-- qseecom.c 113933 log stats plain
-rw-r--r-- qseecom_kernel.h 1443 log stats plain
-rw-r--r-- qseecom_legacy.h 2556 log stat splain
or googl hammerhead kernel
@E:V:A and @ryanbg, look to the attached file. This is the part of QSEE which work with Qfuses.
Related
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Introduction:
After months of research and development, both hardware and software... I'm happy to announce UnBrickable Mod is a matter of modifing your phone once, with a single small wire. From that point on, you can click a button to unbrick. This can even be applied to a phone which is already bricked.
This video applies, but on the Fascinate, you must hold the POWER button during the entire flashing sequence.
Instructions
You Must have UnBrickable Mod applied to your device. If you're not sure, run this tool under Linux: http://forum.xda-developers.com/showthread.php?t=1257434
This currently only works for Linux based computers or Windows based computers with proper drivers installed, with a Linux Virtual Machine, Get Ubuntu here: http://www.ubuntu.com , Get Virtualbox Here: http://www.virtualbox.org/wiki/Downloads
You must have Java installed on your computer: http://www.java.com/en/download/
Unbricking:
1. Apply UnBrickable Mod to your device: http://forum.xda-developers.com/showthread.php?t=1288093
2. Run ModeDetect to verify your phone is in the proper mode: http://forum.xda-developers.com/showthread.php?t=1257434
You should see this while you hold the power button:
3. Run UnBrickable Resurrector: http://forum.xda-developers.com/attachment.php?attachmentid=710199&stc=1&d=1315173984 This will only work on linux currently. Install Linux or dual boot if you have windows.
If you are still holding the power button, you should see this on Mode Detect.
You can now disconnect your phone and move to a windows computer to use Odin or any other Samsung tool, or use Heimdall One-Click from Linux. Keep holding the power button!
4. Run Heimdall One-Click: http://forum.xda-developers.com/showthread.php?t=1288130 (or odin3 one-click),
5. repeat steps 2 and 3 with bootloader flashing enabled (Heimdall One-Click has a safety mechanism which requires you to flash once before flashing bootloaders).
conclusion
You've unbricked the unbrickable Fascinate.. This should not have been difficult. If it was, you should learn teh computer better... Really. And with that said, I'm happy to announce that you no longer have to flash with a fear of bricking.
HIBL
The HIBL is the key to resurrecting a S5PC110 based processor. I'm going to let Rebellos explain the inner workings of the Hummingbird Interceptor Bootloader. It's really quite amazing. While my work is more hardware and high level tasks like making things into one-clicks, Rebellos' work involves reverse software engineering, assembly language, and more...
Tools
Windows32 command line app and drivers http://forum.xda-developers.com/attachment.php?attachmentid=709292&stc=1&d=1315091523
Linux one-click Resurrector: http://forum.xda-developers.com/attachment.php?attachmentid=705515&stc=1&d=1315091523
4SEP11: added 32 bit, miscellanious impovements to visuals
6SEP11: removed additional commands
Okay, so, what is Hummingbird Interceptor Boot Loader (HIBL)?
Basically: It allows to load any amount of data (limited by size of RAM block, the biggest one single block available is 256MB) through USB connection with PC under any specified address into memory and then execute it. This can be fastboot Bootloader+OS image for example.
Technically: It does consist of 2 pieces fused together - BL1_stage1 and BL1_stage2.
Each stage starts from 16bytes (4 ARM WORDs) of secure boot header. In stage1 these are mandatory, in stage2 they can be random (nulled them in my code), so EntryPoint of each stage does start at its 0x10 offset.
BL1_stage1, loaded under 0xD0020000 address, is short code, digitally signed by Samsung. It has been released to break "Chain of Trust" and alter Secure Boot into Non-Secure Boot process. Literally stage1 just do some compare operations and then jumpout to BL1_stage2. (Yes, I also see no point of releasing hardware secured CPU version together with software which is bypassing it's security)
BL1_stage2, must be placed at 0xD0022000 address (it's fused together with stage1 into HIBL, so it's at 0x2000 offset of HIBL.bin) it is unsigned because Secure Boot Context, prepared by iROM (BL0) has been already ignored by stage1.
Its FASM_ARM sourcecode:
http://code.google.com/p/hummingbir...unk/HummingBirdInterceptorBootloader/HIBL.ASM
This is where the code start real work, it does begin with standard ARM core jump vector table (just to keep stick to standard, these aren't used anyway).
1. It does use I9000 BL1_stage2 functions (init_system) which I linked to it, these are used to init DMC controllers, as to this point code is executing in and working with very tiny, 96KB iRAM space, after calling this function it turns all 512MB of RAM available.
2. Make sure DMC is configured properly (write some value to address 0x40~~ memory space, then read it and compare with previously written)
3. Reinit iRAM heap to the BL0 initial state (to convince it USB dload mode haven't been called yet), by storing and restoring UART pointer only (to keep debug output flowing properly)
4. Call iROM usb_downloader function.
5. Read the address where downloaded data has been placed.
6. Jump into this address.
This, properly used provides similiar debug output (similiar, because its outdated testlog)
������������������������������������������������������������������������
Uart negotiation Error
----------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
----------------------------------------
Calling IBL Stage2
DONE!
Testing BL3 area
DONE!
iRAM reinit
DONE!
Please prepare USB dltool with BL3
Starting download...
0x00000000
Desired BL3 EP: 0x40244000
Download complete, hold download mode key combination.
Starting BL3...
//OUTPUT BELOW IS COMING FROM SBL
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
Click to expand...
Click to collapse
It opens infinite capabilities. Instead of SBL to unbrick, Uboot can be loaded, or any armlinux kernel. It's all up to you - XDA Developers.
Will a Wubi install of linux work? Certain windows programs prevent me from making the jump to linux again. Though I wish i could.
mentose457 said:
Will a Wubi install of linux work? Certain windows programs prevent me from making the jump to linux again. Though I wish i could.
Click to expand...
Click to collapse
Yes. You can use WUBI. That is the same as normal "side-by-side" or "dual boot" installation of Ubuntu but you can delete Ubuntu from within Windows.
Note: The hardware mod must be performed first in order to use the set of software above
I was informed last night that this is the ONLY recovery method available for the Fascinate. If you've got a dead brick, you have no other options at this time other then sending it to the manufacturer for a replacement.
Hello,
First off, this mod is NOT for users, but is helpful for developers only that would like to do cool stuff (i.e. port new kernels, etc.). Do not start hacking your phone unless you know what you are doing.
The msm7227 has RS232 serial connection which is accessed via /dev/ttyMSM2. The issue is getting the pins on the board right, and this is because there is great confusion online about the actual pinout for these semc devices (probably because nobody has actually grabbed serial tty on them).
Requirements:
- Solder iron, solder, flux (you know, the cool stuff )
- Small wires, single core ideally - not too large to avoid noise
- Multimeter: useful for checking if you've sorted pins that you are soldering (happens all the time )
- Steady hand, patience (I lack those actually)
- A 3.3V TTL RS232 adapter. I'm using the FT232RL USB to Serial board which works flawlessly. You could come up with other solutions too if you are into electronics via MAX232 or Arduino.
Important: do NOT wire the phone to the serial port of you PC - it can potentially burn up your phone!
Be careful while soldering, don't let the iron for too much time on the connector or you'll end up destroying it (as I did for two connectors while reverse engineering where the tty pins are).
So here's the pinout on the X8:
The connection should be like so:
Code:
Phone <-> Serial Adapter
Tx <-> Rx
Rx <-> Tx
GND <-> GND
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Once soldered and connected, you can use any tty program under linux or windows that you like. E.g. minicom (linux) works great for me, it picks up the bootloader / kernel output instantly.
Connection details: Port: /dev/ttyUSB0, baud: 115200-8N1
Some cosmetics for harnessing the added wires:
s1loader log
Some interesting stuff now... here's the log from the moment the power button is pressed, until the kernel picks up:
Code:
S1 Boot stage 1
CONF_FUSE 0-4 = 0x0077fd4d 0x00040447 0x2004080f 0xb79cc2de 0x00000180
HW_REVISION_NUMBER = 0x203c00e1
OEM_ID = 0x00000001
SEMCSEC Secure Bootstrap "1229-3593 S1Boot MSM7227 CRH1099189_R8A029" (2010-06-01 12:17)
Detected memories:
SMI CS0: UNKNOWN 32MB LPDDR (SR 0x0000)
EBI1 CS0: UNKNOWN 32MB LPDDR (SR 0x0000)
EBI1 CS1: UNKNOWN 32MB LPDDR (SR 0x0000)
EBI2 CS0: Samsung 512MB NAND (0x00ec 0x00bc)
PMIC initialization iterations=0x00000001
bq24180 charger IC rev 1.1 detected
OTP User segment locked
OTP User segment locked
TA @ 0x08100000 (8*128kB)
Hardware Config: verification OK
MSN=CB511K1YZM IMEI=XXXXXXXXXXXXXX
OTP User segment locked
Service Mode Config From TA (ver 1.0): KEYS:1 USB:eek:N SERVICEMODE:USB SERVICE_PIN:ENABLED
VBus is low (not a "chinese charger"), SoftService is not asserted...
TA_ReadData FlaFla is set
S1 BOOT waiting for USB connection
s1_main_loop: No Service mode comm interface found!
Configuring long press:500
plf_bootos MSM7227
Startup reason before override: PWRKEY WDOG
Overriding default boot partitions: reason=0x00000011, mArm=0x00000005, aDsp=0x00000008, aArm=0x00000003
Partition table contents:
PartID Descr Attribs StartBlock NumBlocks UsedAs
0x00000001 S1Boot 0x00000022 0x00000000 0x00000008
0x00000002 TA 0x00000001 0x00000008 0x00000008
0x00000005 ModemSW 0x40000022 0x00000030 0x000000c0 mARM image
0x00000003 Linux 0x40000001 0x00000120 0x00000040 aARM image
0x0000000f Cache 0x80000001 0x000007d0 0x00000190
0x00000010 AppsLog 0xc0000001 0x00000ffe 0x00000002
0x0000000b FOTA0 0x40000022 0x00000010 0x00000010
0x0000000c FOTA1 0x40000022 0x00000020 0x00000010
0x00000006 ModemFS 0x40000001 0x000000f0 0x00000030 mARM-FS image
0x00000009 UserData 0xc0000001 0x00000960 0x0000069e
0x00000004 AppsFS1 0x80000001 0x00000160 0x00000670
ARM ELF image (0x0028), entry point @ 0x0db00000
SIN Verification of aARM failed!
ARM ELF image (0x0028), entry point @ 0x00208000
plf_ta_cmd_params()
Boot parameters found in config data
Commandline:serialno=CB511K1YZM console=ttyMSM0 startup=0x00000011.
Warmboot address calculated: 0x00200000
NAND MPU Partition 0 start:0x00000160 end:0x00000960
NAND MPU Partition 1 start:0x00000960 end:0x00001000
NAND MPU ON according to partition table
Jumping to code @ 0x0db00000, goodbye and thanks for all the fish...
Linux version 2.6.29.6-nAa-jb-03 ([email protected]) (gcc version 4.7.3 20121106 (prerelease) (Linaro GCC 4.7-2012.11) ) #1 PREEMPT Sat 2
goodbye and thanks for all the fish...
Pinouts for mini:
Cant believe in this !!!
bro, you are crazy
thats great...
This is a good xmas gift
P.S.: Merry Christmas!
Firstly I thought you made a 4.2 rom then I realised that you are crazy...cool work and merry Christmas
PS:just realised I spamed,sorryy wont happen again
Sent from my E15i using xda app-developers app
Daveee10 said:
bro, you are crazy
thats great...
This is a good xmas gift
P.S.: Merry Christmas!
Click to expand...
Click to collapse
Almost killed my shakira, but it was worth it
@all, please only post contributing stuff - don't clutter the thread.
- More pics uploaded.
- Bootloader log captured. Output is hmm... interesting
Glade to see that you have black color of x8 too
First of all, impressive work @nobodyAtall. You must have kind of huge balls to do so.
These days, I've been trying to modify CMDLINE from kernel to edit mtdparts parameter and, therefore, to resize MTD partitions. This way, it would be possible to reduce system and cache partitions in favour of data. Unfortunately, I didn't success, but I still don't know if it was because of a wrong kernel (I tried to compile Alfs, which is so [irony]easy[/irony] to compile) or something else...
I haven't tried with yours because your Git source seemed to be a little outdated.
Anyway, as I've seen in the output you posted, partitions are already set by default, leading me to think it is not possible to modify them through the kernel command line.
Have you ever thought about this before?
GaBOr1 said:
First of all, impressive work @nobodyAtall. You must have kind of huge balls to do so.
These days, I've been trying to modify CMDLINE from kernel to edit mtdparts parameter and, therefore, to resize MTD partitions. This way, it would be possible to reduce system and cache partitions in favour of data. Unfortunately, I didn't success, but I still don't know if it was because of a wrong kernel (I tried to compile Alfs, which is so [irony]easy[/irony] to compile) or something else...
I haven't tried with yours because your Git source seemed to be a little outdated.
Anyway, as I've seen in the output you posted, partitions are already set by default, leading me to think it is not possible to modify them through the kernel command line.
Have you ever thought about this before?
Click to expand...
Click to collapse
Hi,
Outdated in terms of what? All kernels for these devices are 2.6.29 - they are indeed outdated. The nAa-jb has all it's needed for jellybean and great performance.
@partitions
Changing the mtdparts via cmdline is absolutely possible. This is how I got the extra /system space needed for jellybean. The problem is that it breaks existing installations cause you are altering the default partitioning - therefore it's not suggested. People have to format all partitions before getting out of the kernel with the modded ones.
Don't mind the partitioning the s1loader says - those are of the internal nand as hardcoded via s1loader. My guess is that they can be exposed to userspace.
EDIT: pinouts for x10mini posted.
now our x8 can get kernel 3 ?
nobodyAtall said:
Hi,
Outdated in terms of what? All kernels for these devices are 2.6.29 - they are indeed outdated. The nAa-jb has all it's needed for jellybean and great performance.
@partitions
Changing the mtdparts via cmdline is absolutely possible. This is how I got the extra /system space needed for jellybean. The problem is that it breaks existing installations cause you are altering the default partitioning - therefore it's not suggested. People have to format all partitions before getting out of the kernel with the modded ones.
Don't mind the partitioning the s1loader says - those are of the internal nand as hardcoded via s1loader. My guess is that they can be exposed to userspace.
EDIT: pinouts for x10mini posted.
Click to expand...
Click to collapse
¡Oh! Don't misunderstand me, please. What I tried to mean is your GitHub nAa-kernel repository's last commit is "nAa-13", while latest version of this kernel is v14. That's why I said it seemed a bit outdated.
And as far as MTD partitioning is concerned, I already knew the possible risks of doing it, but these devices have such tiny internal storage and they waste that much space in system and cache partitions that I thought about resizing them.
So, let me thank you one more time for your time.
nobodyAtall if you ever come to Croatia I will give you free holidays at my place in Zadar.
Keep up the good work
i have been to zadar,that place has good beaches...nice offer maybe i will drop by so we can hang out
Sent from my E15i using xda app-developers app
@mn31pro: no, this is not means we will get kernel 3.x. But this method make the kernel developing more easy. We can build any kernel what newer than the old .29 branch, but these kernels not booting. Now nAa give a tool what is a big help to find the booting problems with newer kernels.
@GaBOr1: the nAa-13 commit is the latest changes. The nAa-14 contains only ramdisk changes for SDE (only a new init binary with added drm usergroup to start the drmframework service in init.rc). So, the binary part of the kernel is same in nAa-13 and 14.
Sent from my E15i using xda app-developers app
pilu1978 said:
@mn31pro: no, this is not means we will get kernel 3.x. But this method make the kernel developing more easy. We can build any kernel what newer than the old .29 branch, but these kernels not booting. Now nAa give a tool what is a big help to find the booting problems with newer kernels.
@GaBOr1: the nAa-13 commit is the latest changes. The nAa-14 contains only ramdisk changes for SDE (only a new init binary with added drm usergroup to start the drmframework service in init.rc). So, the binary part of the kernel is same in nAa-13 and 14.
Sent from my E15i using xda app-developers app
Click to expand...
Click to collapse
i think bigest problem way new kernel not booting coz we dont have fastboot
great work...
we should develop an apk for getting extra features....
If I'm correct this info can be used for porting newer kernel versions like 3.0.x etc. It will be hard but I've seen a similar thread on the G3 forum, so I'm guessing this is for the same purpose. It can also be used to debug the kernel. Please correct me if I'm wrong.
EDIT: And thanks to snip3rboy I just realized that I said almost exactly what pilu1978 said in his last post here. LOL.
sgt. meow said:
If I'm correct this info can be used for porting newer kernel versions like 3.0.x etc. It will be hard but I've seen a similar thread on the G3 forum, so I'm guessing this is for the same purpose. It can also be used to debug the kernel. Please correct me if I'm wrong.
Click to expand...
Click to collapse
lol,check post #15
Lukenda said:
i have been to zadar,that place has good beaches...nice offer maybe i will drop by so we can hang out
Sent from my E15i using xda app-developers app
Click to expand...
Click to collapse
i will drop by too
...sorry for ot
Hi,
I've started to investigate what is needed to build CyanogenMod 11 for the slte. I need to understand what we need to compile for exynos5430. There are extra repositories available. If anbody knows how to port a ROM or knows C/C++ and want to work together, feel free to contact me! Reading and understanding strace output is essential.
I will post my progress in this thread.
TODO
# RIL
Add WB (wide band) support to audio ril and add missing mixer values to mixer_paths.xml (WORK IN PROGRESS)
Test usb and wifi tethering.
Fix VoIP calls
# WIFI
Try to find a better solution for getting wifi working. Currently it is a hack in the wifi nl80211 driver. We should check if the kernel can indicate that the p2p device can't be set into station mode.
Revisit macloader and network patches to set nvram path. Maybe only the macloader should set the path. (WAITING FOR REVIEW)
# Media
Fix video decoding
Fix video recording
# CMHW (Samsung specific hardware configuration)
Add BOARD_HARDWARE_CLASS += hardware/samsung/cmhw in BoardConfig.mk
VibratorHW.java is wrong, copy to device tree and modify it? Check other devices how to fix it.
# MMS
Create overlay/packages/apps/Mms/res/xml/mms_config.xml
# Audio
Revisit sound recording, capture volume to low?
Check if CM DPS Manager is working.
Do we need voicefx in audio_effects.conf
# USB OTG
Fix attaching usb sticks and disks with CM. Need to look what CM expects and then fix init.rc
# MTP
MTP doesn't work, it uses not the standard mtp gadget driver.
Debug MTP server and driver to find out what is going wrong ...
mtpg_read() fails with a dev error and returns EIO ...
# NFC
Get NFC working (low priority) (maybe remove it, needs to much battery)
# DRM
Try to fix mobicore
If you know how to write C code or Java code, please pick an item and send patches. The java task is to reverse engineer the MTP server code. Use JAD for this. The rest is C/C++ code. You should know how to use strace and gdb.
-- modpunk
Package Complete: /home/asn/workspace/projects/cyanogenmod/system/out/target/product/slte/cm-11-20141109-UNOFFICIAL-slte.zip
My USB OTG cable should arrive tomorrow, then I can do a backup of the stock ROM and see if CM will boot. The slte SoC looks similar to the the manta SoC. At least they have the same GPU. Maybe it works with the 4250 sources ...
It doesn't look good. The hardware is much more different from exynos5420 than thought. I'm not sure if a port is possible without deeper insight into the SoC.
You said, you tried it with the mantas kernel? Thats google nexus 10 with a Exynos 5250?
I think, the google note 3 or google note 10.1 2014 might be better choices to start with - they use the Exynos 5420, form what i see it looks like 5430 is a advanced version of it using the 20nm process.
Both are octacores where every core is accessible.
- there seems to be a cyanogenmod repository holding 5420 kernel code...
on Samsung OSRC there seems to be source code for the Alpha available - but i can't download it, and can't make a login - i can't make a password that is accepted by that page... weird.
DThought said:
You said, you tried it with the mantas kernel? Thats google nexus 10 with a Exynos 5250?
Click to expand...
Click to collapse
No, I didn't. I tried it with the manta hardware support which is a exynos5420 chip. I fixed the Kernel sources for the slte and it is working just fine.
DThought said:
I think, the google note 3 or google note 10.1 2014 might be better choices to start with - they use the Exynos 5420, form what i see it looks like 5430 is a advanced version of it using the 20nm process.
Click to expand...
Click to collapse
The gpu seems to be differnt too. I've looked at the sources and the kernel interfaces they access are different too.[/QUOTE]
I have that kernel running already. I have to dive deeper. Maybe just the HDMI support is different and we don't need that.
http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=SM-G850F
Two painfully slow download links, haven't had much experience with Samsung source before, is there a difference between the two variants listed for download that i'm missing before I start to download one ? I note one has SEA in the title of the file and the other doesn't.
You need the KK version. At least the source is cleaner However it needs a bunch of bugfixes that it even compiles! You can find my kernel tree (with fixes) here:
http://git.cryptomilk.org/projects/android/android_kernel_samsung_slte.git/log/?h=cm-11.0
This kernel is running on the recovery and I'm working on the exynos5 sources to prepare them for this kernel. I'm currently trying to fix hwcomposer so it works with decon-fb.
modpunk said:
It doesn't look good. The hardware is much more different from exynos5420 than thought. I'm not sure if a port is possible without deeper insight into the SoC.
Click to expand...
Click to collapse
Well, two days later the world looks different ...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
modpunk said:
Well, two days later the world looks different ...
Click to expand...
Click to collapse
congratulations man :victory:
as i've said earlier, i'm glad to have a dev like you on our device
modpunk said:
Well, two days later the world looks different ...
Click to expand...
Click to collapse
Dude. Awesome. Tell me there's some way I can donate to show my appreciation? Can't wait to try it out man. Keep it up!
tnicko said:
Dude. Awesome. Tell me there's some way I can donate to show my appreciation? Can't wait to try it out man. Keep it up!
Click to expand...
Click to collapse
Thanks, the question is if I will get it fully working. It is still a long way to go. However there is a donation button on the left I guess ...
modpunk said:
Well, two days later the world looks different ...
Click to expand...
Click to collapse
you are the man m8,nice job
as neofral said, nice to have you hire
ps .if you lake tester I`m hire...also your kernal will work only with Cyan or with TW
Awesome dude !
Downloading sources at 9kb/sec so should be done sometime this year !!
Sent from my SM-G850F
Congratulations from France !
Are you on FreeNode ?
Is there a channel we can hang in and collaborate in ?
DangerMUK said:
Are you on FreeNode ?
Is there a channel we can hang in and collaborate in ?
Click to expand...
Click to collapse
Yes, I am. I do not get Wifi working and I don't know what is going wrong. I suspect it is a kernel issue cause I don't get any messages in the kernel ring buffer. No work till next week ....
Could you post us some experimental build, i'm sure all of us would appreciate it?
What for? The only thing which works is that it boots. Everything else is broken so what I will get is a load of bug reports which tells me nothing works.
The sources are available. If you want to help with development, feel free to build it yourself
I will try publish the changes to the exynos5 tree soon.
I still do not understand how Android sends the START command to the wifi driver to give it power and load the firmware and start it up. If someone could shed some light on this it would be really helpful!
modpunk said:
I still do not understand how Android sends the START command to the wifi driver to give it power and load the firmware and start it up. If someone could shed some light on this it would be really helpful!
Click to expand...
Click to collapse
can you look at this page and see if you get your answer?
http://blog.linuxconsulting.ro/2010/04/porting-wifi-drivers-to-android.html
edit: also this one is interesting http://boundarydevices.com/android-wlan-the-rest-of-the-story/
and this:
Wifi module initialization:
To in SystemServer start will generate an instance of ConnectivityService, ConnectivityService the constructor creates WifiService the WifiStateTracker will create WifiMonitor receiving from the underlying event, WifiService, and WifiMonitor is the core of the whole module. WifiService is responsible for starting off wpa_supplicant itself which is a bit more tricky, to start off WifiMonitor monitor thread and the command to the wpa_supplicant WifiMonitor is responsible to receive event notifications from wpa_supplicant.
WiFi module to start:
WirelessSettings the initialization configuration by WifiEnabler Wifi button
When the user presses the WiFi button Android will call WifiEnabler of the onPreferenceChange, and then the call WifiManager by WifiEnabler setWifiEnabled interface functions, AIDL actual call is the WifiService setWifiEnabled function the WifiService then send itself an MESSAGE_ENABLE_WIFI message in the message code to enable real work: First, load the WiFi kernel module (the module position hard-coded "/ system / lib / modules / wlan.ko"), and then start wpa_supplicant (hard-coded configuration file "/ data / misc / wifi / wpa_supplicant.conf "), then WifiStateTracker to start monitor thread WifiMonitor.
from here: http://www.programmershare.com/3736477/
I know, it's kinda old model from Docomo but still there's no any info out there for rooting and unlocking. Mr. fi01 has made a bunch of tools for other models of Docomo phones but not for this one. So, I wonder if it's possible at all. Ideally, I wanted to get the root and unlock the bootloader to install my custom firmware (e.g., Cyanogen). Tried some roots by fi01, but none of them worked. And I cannot get any answer from him.
I could contribute some money for it (within reasonable limits, ofc.).
oneclickroot,this website say root is done.
root after how to unlock SIM?
o759 said:
oneclickroot,this website say root is done.
Click to expand...
Click to collapse
Really? I have tried a bunch of modern rootkits and exploits and none of them worked. But I figured out how to get root with some private exploit, based on RowHammer attack. Here's my long conversation with fi01 about rooting F-01F: https://github.com/android-rooting-tools/android_run_root_shell/issues/42
Do you have # sign in adb shell and both uid and gid = 0? If yes, then you are root for sure.
But still there is no rights to mount /system as rw because of SELinux and fjsec LSM thing. I'm trying to overcome that but it's not that easy.
Sorry, I don't know how to do SIM unlocking. My phone was already unlocked when I bought it.
There appeared some videos for rooting F-01F on older firmwares (Android 4.2.2 JellyBean, build # V32R63C).
https://www.youtube.com/watch?v=bfpBeUTShhg
https://www.youtube.com/watch?v=kAM2U1hkqng
https://www.youtube.com/watch?v=PvHot7Oo62Q
Sadly I had no success with that 'cause I'm on V10R22A and those rooting tools don't work.
Arrows nx f-01f is now rooted . with shouhuanguanli.apk . Indian FB group. If need more info PM me at facebook messenger "Mijery NyTontolo"
NB: need to repeat process if failed . (person : 23times, but I have root now )
Lez16 said:
Arrows nx f-01f is now rooted . with shouhuanguanli.apk . Indian FB group. If need more info PM me at facebook messenger "Mijery NyTontolo"
NB: need to repeat process if failed . (person : 23times, but I have root now )
Click to expand...
Click to collapse
This is Dianxinos Superuser app. But as I said earlier it's not working for KitKat firmwares (Android 4.4.2, build # V10R22A), because there's PXN enabled and no known way to disable fjsec LSM. On older builds there's no PXN, so ping pong exploit may be used (which seems to be already integrated into Dianxinos, OneClickRoot, KingRoot and others).
Well, anyway I tried to run Dianxinos apk many times. It cannot gain root:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Please, could you tell what's your build #? (Settings -> About phone -> Build number (at the very end))
HW root
I have attempted to do hardware root but failed. :crying: It was an interesting undertaking, but almost impracticable.
For the reference I used these two wonderful articles: Hacking Hardware with a$10 SD Card Reader and eMMC Adventures, Episode 1: Building my own 64GB memory card with a $6 eMMC chip. Moving in steps through the papers, I determined that eMMC in F-01F is presented in two versions:
1. Toshiba THGBMAG8A4JBA4R, JX4135, Japan 1337KAE
TH: Toshiba NAND
G: Packaged as IC
B: Vcc (Flash power supply) = 3.3 V, VccQ (controller/interface power supply) = 1.8 or 3.3 V
M: eMMC device
A: Controller revision A
G8: 32 GB
A: ? NAND Flash
4: 4-stacked dice (4 8GB chips)
J: ?nm A-type Flash
BA: Lead-free and halogen-free
4: ? temperature grade (? to ? degrees Celsius)
R: package size = ?
2. Samsung KLMBG4GEAC-B001
Here's a photo of the PCB with eMMC revealed:
Both chips are completely interchangeable and share the same pinout. Another two chips on the picture are RAM, which is Samsung K3QF2F20DA-QGCE, 334, 1338 DUO28, GFF0539N, and the camera controller / media processor / ARM core, which is Fujitsu MBG046C E1, 1330 SLC.
Knowing that, I whittled down the eMMC chip to see the contact pads, where the balls were located. After that I traced some pins and got that image:
The power and ground pins could be seen here:
As you may see, DAT0 is quite difficult to solder to (you may need a soldering iron with a very thin tip). But the real hardcore is both CMD and CLK as they are located at the tiny resistors' ends in the very corner between eMMC and bigger resistors. For the better understanding here's a photo with those little resistors completely removed:
So it appears to be a practically impossible thing to get the wires soldered to CMD and CLK, not damaging other components. A spoon of tar is a compound, which covers some of the resistors. I doubt, the most virtuoso in the electronics could do that task (almost of the same complexity as unsoldering an eMMc and soldering it back). That's why I should stop at HW rooting. Maybe someone find those pictures useful and do some further explorations.
help !!!
please help me for root fujitsu f01j.
I'd like to report that F-01F (V10R22A) is rooted now using CVE-2017-8890 exp: https://github.com/dadreamer/CVE-2017-8890. I adapted the exp from thinkycx with some tricky ROP chain to overcome fjsec protection. The LSM and SELinux are still in place after the system restart, so it's a subject for bootloader unlocking and the system modification, but no progress is made for that yet.
dadreamer said:
I'd like to report that F-01F (V10R22A) is rooted now using CVE-2017-8890 exp: . I adapted the exp from thinkycx with some tricky ROP chain to overcome fjsec protection. The LSM and SELinux are still in place after the system restart, so it's a subject for bootloader unlocking and the system modification, but no progress is made for that yet.
Click to expand...
Click to collapse
is any more progress yet for now?
fiefie7 said:
is any more progress yet for now?
Click to expand...
Click to collapse
If you mean the bootloader unlocking, then no more work will be done for that. One of my devices is almost dying due to the bad battery and the second is SIM-locked and software bricked. Therefore I'm not going to spend my resources for these obsolete phones anymore.
well, that's too bad...
Hey hopefully I'm posting in the correct sub section if not can a mod please move this. First off just want to say thanks for the information I've gotten lurking the past few months. I'm basically completely new learning basic coding etc. Sorry for the rant my question is ive been experiencing some cyber attacks which are very confusing and a long story...I'll try to keep it short...
Currently I'm on an old Samsung a21(buying the a54 when it comes out soon) my wife has a Samsung a53. Both phones have toybox installed but this wasn't flashed by me. I flashed her phone with the stock firmware last week to attempt to rid the hacking on it. Is it even possible to flash toybox remotely? I wouldn't think so as you would need to have several things lined up plus it connected to a pc. Nearly every device in my house has been corrupted down to smart watches, Bluetooth low energy devices, and especially computers. All of my pcs registrys are completely infected. My wife swears this is not her and has no idea how to do any of this. I have my suspicions with certain "coincidences" happening which are to numerous to name. Sorry for posting this here but I don't know where else to ask. If anyone could even point me in the right direction I'm willing to put In work. I've called professionals that basically advised me to trash everything. That's all fine and dandy but I need to understand this issue to prevent it from happening again. The scope of this issue is way over my head but I've made decent progress in the last three months. I'll check out the toybox guides here to see if that offers some clues
Thanks In advance for any advice.
Since you didn't write specific facts, I'll just answer about toybox.
Toybox has been on Samsung phones for a long time and is a system application without the ability to manually do an update.
Toybox - Wikipedia
en.m.wikipedia.org
Hey thanks for the reply. I didn't understand it was native to android. Would it be normal to have toybox version 0.8.4? I'll attach a picture maybe you can give me a little direction to go in. My phones able to be controlled remotely,modded apps, some weird things going down. Thanks again I'm pulling my hair out looking commands up.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Ace1222 said:
(...) Would it be normal to have toybox version 0.8.4? I'll attach a picture maybe you can give me a little direction to go in. My phones able to be controlled remotely,modded apps, some weird things going down. (...)
Click to expand...
Click to collapse
Could you please ask the questions precisely?
There is nothing special in the attached picture.
You want to just do:
Code:
$ setenforce 0
But it probably won't let you do that because your shell is not root.
Ace1222
Toybox since Android 6 is default component of Android OS: it replaced former Toolbox. Toybox is located either in /system or in /vendor partition.
Latest Toybox version is 0.8.9 ( conatains SU cmdlet ), can get downloaded from here:
Index of /toybox/bin
landley.net
Renate said:
You want to just do:
Code:
$ setenforce 0
But it probably won't let you do that because your shell is not root.
Click to expand...
Click to collapse
This only temporarliy disables SELinux what isn't needed when updating Toybox binary.
jwoegerbauer said:
This only temporarliy disables SELinux what isn't needed when updating Toybox binary.
Click to expand...
Click to collapse
I was only correcting the syntax on the OP's post #3.
jwoegerbauer said:
This only temporarliy disables SELinux what isn't needed when updating Toybox binary.
Click to expand...
Click to collapse
How is the user supposed to update the binary file when there is no root?
I never here said rooting Android is not needed to update Toybox binary.
To clarify things:
1. Obtaining Root only allows you the ability to modify the system. E.g. mounting partitions accessible as RW.
2. SELinux is a completely different entity. To change a devices SELinux State is written into the devices Kernel. The kernel is a part of the ROM. It determines whether or not the device is permitted to change it's SELinux State.
jwoegerbauer said:
I never here said rooing Android is not needed to update Toybox binary.
To clarify things:
1. Obtaining Root only allows you the ability to modify the system.
2. SELinux is a completely different entity. To change a devices SELinux State is written into the devices Kernel. The kernel is a part of the ROM. It determines whether or not the device is permitted to change it's SELinux State.
Click to expand...
Click to collapse
OK.
jwoegerbauer said:
This only temporarliy disables SELinux what isn't needed when updating Toybox binary.
Click to expand...
Click to collapse
How is user Ace1222 supposed to update the binary file when he does not have root, as you can see in the screenshot?
The user did not write that he has/wants root.
If you would carefully read my posts -> the solution already implicitely was given by me: make use of temporary root!
jwoegerbauer said:
If you would carefully read my posts -> the solution already implicitely was given by me: make use of temporary root!
Click to expand...
Click to collapse
Since you did/know how to do it on the Samsung Galaxy A21 and on the Samsung Galaxy A53 without burning the KNOX flag, just write. The user did not ask for it, but since you are advising, advise completely.
@jwoegerbauer
OP is not asking for updating toybox
there is no such "temporary root" for android on real devices (such as smartphones and tablets)
the toybox linked cannot replace the android version of toybox
toolbox is holding android specific applets (such as getevent) and cannot replaced by toybox
2 & 3: You're absolutely wrong. I kindly ask you to end spreading nonsense, TIA.
4: Yes, Toybox doesn't contain getevent cmdlet as Toolbox does, but that's abolutely irrelevant here.
get yourself a smartphone and learn the basics. I will pay $ 100 if you show any proof of your magic temporary root.
Sorry for causing any tension and debates here guys. I am interested in root access if that's what's needed. I'm totally ignorant and can sort of follow along what was posted. For clarification I don't have access to the rom folder even for read privileges. My intent is to figure out how/why my devices are being manipulated. E.g. why are there custom apps,partitions,user profiles, different access levels to folders that aren't in the root directory? Obviously my devices have been tampered with but I'm to ignorant to provide the information to help you help me.
Renate said:
You want to just do:
Code:
$ setenforce 0
But it probably won't let you do that because your shell is not root.
Click to expand...
Click to collapse
Yeah I tried that days ago and like you expected permission denied...
on bootloader locked devices system cannot modified. samsung devices are secure, a simple factory reset will remove all potential malware. just don't use the same samsung/google accounts again afterwards and do not restore backup of apps you don't know.