Wierd ELF files used by QPST - Android Q&A, Help & Troubleshooting

Hi all,
For some reason I want to modify the bootloader on my device(Lenovo Zuk Z2 plus, which has SnapDragon 820, MSM8996). I have research a little bit and got a snippet of assembly code that I believe appears in the bootloader, and I hope to replace.
So I believe the xbl.elf file in the stock ROM, which is to be flashed by QPST, is the bootloader I hope to hack. My plan:
1. Interpret the file xbl.elf
2. find the snippet of code I hope to replace
3. replace the snippet of binary with some cooler binary.
So here is the result of `readelf -a xbl.elf`:
Code:
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: AArch64
Version: 0x1
Entry point address: 0x6213f10
Start of program headers: 64 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 17
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
NULL 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000003f8 0x0000000000000000 0
NULL 0x0000000000001000 0x0000000085eec000 0x0000000085eec000
0x0000000000001b48 0x0000000000002000 1000
LOAD 0x0000000000003000 0x0000000006208000 0x0000000006208000
0x00000000000567b4 0x00000000000567b4 R E 10000
LOAD 0x00000000000597c0 0x000000000625f000 0x000000000625f000
0x0000000000009a58 0x0000000000009a58 RW 10000
LOAD 0x0000000000063220 0x000000000626a000 0x000000000626a000
0x0000000000000000 0x00000000000052a8 RW 10000
LOAD 0x0000000000063220 0x0000000085e00000 0x0000000085e00000
0x0000000000000000 0x0000000000024da0 RW 10000
LOAD 0x0000000000063220 0x0000000006680000 0x0000000006680000
0x00000000000029d0 0x00000000000029d0 R E 10000
LOAD 0x0000000000065bf0 0x0000000006683000 0x0000000006683000
0x0000000000000694 0x0000000000000694 RW 10000
LOAD 0x0000000000066290 0x000000000021e000 0x000000000021e000
0x0000000000005e54 0x0000000000005e54 R E 10000
LOAD 0x000000000006c0f0 0x00000000066a2000 0x00000000066a2000
0x0000000000000000 0x0000000000012400 RW 10000
LOAD 0x000000000006c0f0 0x0000000085e80000 0x0000000085e80000
0x00000000000282ee 0x00000000000282ee R E 10000
LOAD 0x00000000000943e0 0x0000000085ec0000 0x0000000085ec0000
0x000000000002b9a0 0x000000000002b9a0 RW 10000
LOAD 0x00000000000bfd80 0x0000000085eb0000 0x0000000085eb0000
0x0000000000000000 0x00000000000099e8 RW 10000
LOAD 0x00000000000bfd80 0x0000000080200000 0x0000000080200000
0x00000000000f0000 0x00000000000f0000 RWE 1000
LOAD 0x00000000001afd80 0x0000000000207000 0x0000000000207000
0x000000000000ebe1 0x000000000000ebe1 R E 10000
LOAD 0x00000000001be970 0x0000000000217800 0x0000000000217800
0x00000000000004c8 0x00000000000004c8 RW 10000
LOAD 0x00000000001bee40 0x0000000000219800 0x0000000000219800
0x0000000000000000 0x00000000000001d0 RW 10000
There is no dynamic section in this file.
There are no relocations in this file.
The decoding of unwind sections for machine type AArch64 is not currently supported.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
So as you can see, this elf file is quite uncommon. Anyone has any idea how to interpret this file? Thanks!

Solved
Nevermind, I simply regard this file as binary and disemble it:
aarch64-linux-gnu-objdump -b binary -D xbl.elf -maarch64
And the assembly is crystally clear!

Related

[Q] Bootloader /dev/block/mmcblk0p1 no executable content?

I ran the following command while ssh'ed into my Atrix 4G and do not understand why it contains only ff's or 00's for entire partition (no executable code)???
dd if=/dev/block/mmcblk0p1 of=bootloader_mmcblk0p1.img
/mnt/sdcard-ext/root_recovery_orig # uname -a
Linux localhost 2.6.32.9 #3 SMP PREEMPT Thu Sep 22 10:52:13 CST 2011 armv7l GNU/Linux
/mnt/sdcard-ext/root_recovery_orig # ls -al
total 40193
----rwxr-x 1 system sdcard_r 3670016 Nov 30 10:37 bootloader_mmcblk0p1.img
scp'ed bootloader_mmcblk0p1.img to my linux box and ran the following commands:
# hexdump -C bootloader_mmcblk0p1.img
00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00380000
# strings bootloader_mmcblk0p1.img
NO Strings found because entire partition only contains ff or 00
Follows is the strings command on the dd'ed boot.img for a sanity check.
# strings boot.img | less
ANDROID!p
-- System halted
ran out of input data
Malloc error
Out of memory
incomplete literal tree
incomplete distance tree
bad gzip magic numbers
internal error, invalid method
Input is encrypted
Multi part input
Input has invalid flags
invalid compressed format (err=1)
invalid compressed format (err=2)
out of memory
invalid compressed format (other)
crc error
length error
Uncompressing Linux...
done, booting the kernel.
NOTE: remainder of strings command output not shown.....
Questions:
/dev/block/mmcblk0p1 is the bootloader partition?
If so, why does it appear to not have any executable code?
Is dd being tricked in some way and NOT actually getting the content of partition 1?
If so, is there anyway to dd the actual content of partition 1?
Somewhat off topic but related questions:
Assuming the bootloader is signed where is the PKI public key/Digital Certificate/Digital Signature/hashing algorithm stored on the phone? How are they protected?
Is there a pre-bootloader that checks the Digital Signature of the bootloader partition? If so, where is the pre-bootloader located? How is it protected from tampering?
Regards, Ron
Is the bootloader available via busybox dd from the phone?
I sure would like to examine/backup the content of the Motorola Atrix 4g delivered bootloader code. Is there any way of getting a copy of it from the phone using DD (or any other method from a rooted/NOT unlocked phone)?? I thought at least part of the bootloader was in partition 1 of the on board EMMC NAND flash /dev/block/mmcblk0p1?? It appears the bootloader code is either NOT in partition 1 or DD is NOT allowed to access the code. I am basically trying to understand what happens in the VERY first stages of the boot process after power on (in detail).
Signed Confused, Ron
PS, I assume some of the developers (with great knowledge) views this forum from time to time?

kali for note 10.1 why not us

Check this out: http://docs.kali.org/armel-armhf/kali-linux-on-galaxy-note
I looked over the recovery and thought it looked ok (though thats an area i usually leave to pros), and attempted to make a x86 image so altering
Code:
dd if=/dev/block/mmcblk0p6 of=recovery.img_orig
and
dd if=recovery.img of=/dev/block/mmcblk0p6
and inputting this
Code:
dd if=/dev/block/mmcblk0p11 of=recovery.img_orig
and
dd if=recovery.img of=/dev/block/mmcblk0p11
then I rebooted and it hung up at the samsung galaxy tab 3 screen
How hard would it be to rewrite the recovery image linked to there to work on our device. Or if its in good shape I guess i screwed up making my x86 image of Kali any input of on either subject would be appreciated.
Had an idea as soon as I reflash and reroot and download a couple more files and reboot and finish updating this laptop I'm working on, ill try to break my gtab again
You can't. Those versions of Kali is for ARM (armel = ARM soft-float / armhf = ARM hard-float), while the GTab3 10.1. is x86.
But you should be able to modify any x86 (tablet-)linux for use with GTab3 10.1
Setialpha said:
You can't. Those versions of Kali is for ARM (armel = ARM soft-float / armhf = ARM hard-float), while the GTab3 10.1. is x86.
But you should be able to modify any x86 (tablet-)linux for use with GTab3 10.1
Click to expand...
Click to collapse
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
hey
xkwr27 said:
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
Click to expand...
Click to collapse
are you still up for this ?
i tried the same thing, i also tried swapping out the zimage from the kali recovery with p5210 stock
then changed any mmcblk refs i found in the init and instead of screen hang got it reboot, [over and over]
but didn't catch. this is totally doable and i wish i'd found this thread before starting another on the same subject.
but anyway i could go on forever.....we need to recruit people somehow... i would like a setup on this
tab so i could distro hop like i used to on pc :good:
Yes I'm still down for this, I've been so busy with work, and keeping my car running(done with the car now, motor/Trans rebuild) since my last post. Now I have my days off if not totally free free enough to put a few hours into this on my days off. I also know 2 people who could help if I can convince them one a relative with a name in the security industry and the other a relatively new guy to all things computer but with a knack for finding fixes that will be a help but for tonight I'm going to compare the two recoveries side by side during break and take notes. Then tomorrow I am going to see if I can put those notes to good use after I get back from taking my daughter and wife blackberry picking on my father's land.i figure I'll start on it noonish us central time and keep you updated...
xkwr27 said:
Yes I'm still down for this, I've been so busy with work, and keeping my car running(done with the car now, motor/Trans rebuild) since my last post. Now I have my days off if not totally free free enough to put a few hours into this on my days off. I also know 2 people who could help if I can convince them one a relative with a name in the security industry and the other a relatively new guy to all things computer but with a knack for finding fixes that will be a help but for tonight I'm going to compare the two recoveries side by side during break and take notes. Then tomorrow I am going to see if I can put those notes to good use after I get back from taking my daughter and wife blackberry picking on my father's land.i figure I'll start on it noonish us central time and keep you updated...
Click to expand...
Click to collapse
good deal, okay noob warning, but gleefully brick happy tester here.
right now i on the samsung open source site looking p5210 but not sure which
git-hub isn't an option for me as my surviving pc is a bit screwy but i still want to see the source
and try to get what the devs are saying, anyway i'm glad to hear from you
just thought i'd let you in on what i'm up to. hope to get something working.
:good:
do i need to get ubuntu 64bit for kernel stuff?
If you plan to tear into the recovery.img you'll need linux I use debian or debian based distro's, but ubuntu will work just fine.
https://01.org/android-ia
Not sure if this site will help but i'll post it anyways
I'll keep trying to post useful stuff
http://forum.xda-developers.com/showthread.php?t=1916936
Hope this helps somehow
Can we not change the partitions to whatever sizes we want using ODIN and .pit files ? if yes then we can do ANYTHING
Excercise caution. This MAY have the pit file for our device
http://forum.xda-developers.com/showthread.php?t=2526119
hey
Nitro_123 said:
https://01.org/android-ia
Not sure if this site will help but i'll post it anyways
I'll keep trying to post useful stuff
http://forum.xda-developers.com/showthread.php?t=1916936
Hope this helps somehow
Can we not change the partitions to whatever sizes we want using ODIN and .pit files ? if yes then we can do ANYTHING
Excercise caution. This MAY have the pit file for our device
http://forum.xda-developers.com/showthread.php?t=2526119
Click to expand...
Click to collapse
cool :good: reading:good:
as for repartitiong hold off for now but, read this anyway,
copy every command you see and keep in organized file for reference
http://forum.xda-developers.com/showthread.php?t=1388996
this command in term should pull pit file [get it right,check,double,check,triple check] must su first i believe
dd if=/dev/block/mmcblk0 of=/sdcard/out.pit bs=8 count=481 skip=2176
to xkwr27 hi, you're comparing with stock recovery right?
In terms of custom bootloaders we could install grub onto the device. but first we need to figure out the boot order.
http://forum.xda-developers.com/showthread.php?t=1018862 This thread is an amazing thread for samsung related stuff but kind of off topic for us.
Is there any way of figuring out the way the device boots ?
Sorry for stressing boot order and stuff so much but I really think it's the key to everything.
If we install GRUB after that everything else will be a piece of cake.
http://www.gnu.org/software/grub/
hey
Nitro_123 said:
In terms of custom bootloaders we could install grub onto the device. but first we need to figure out the boot order.
http://forum.xda-developers.com/showthread.php?t=1018862 This thread is an amazing thread for samsung related stuff but kind of off topic for us.
Is there any way of figuring out the way the device boots ?
Sorry for stressing boot order and stuff so much but I really think it's the key to everything.
If we install GRUB after that everything else will be a piece of cake.
http://www.gnu.org/software/grub/
Click to expand...
Click to collapse
the boot sequence is more where my thinking is going to.
my understanding is there are three stages , power on the boot loader does it's work, the kernel get's up and lays out the ramdrive and hardware
and get's the usual/basic/expected linux stuff going [yes, linux is already present,a form of it anyway] and finally, the android user space stuff.
altering something in the process to halt/bypass that last stage and get to , for now at least, a command prompt is the thought.
the hardware hacking looks really neat and is a good find as far as gaining insight on the basic boot process so thank you for
pointing me to it. having no up to speed modern pc i'm left to do what i can on my tab and can't risk it. but i DID find a
a kernel/boot img pack/repack/editing setup that i'm already using on my tab!!!
the link is http://forum.xda-developers.com/showthread.php?t=2073775
read the op then go to my post on the last page.
grub would be sweet though, wouldn't it ?
round one
okay this is what i did today
swapped busybox [arm] for [x86]
added parted in bin
replaced symlink named mtab==>/proc/self/mounts with actual file
corrected [?] mmcblk,loop references in hooks/looproot
changed this in init to experiment [attempt to return to android if fail,] marked edit and commented
if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
#if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
# Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
# We fall back into a shell, but the shell has now PID 1
# This way, manual recovery is still possible.
init=/init
# err "Failed to mount the real root device." [edit]
# echo "Bailing out, you are on your own. Good luck." [edit]
# echo [edit]
# launch_interactive_shell --exec [edit]
elif [ ! -x "/new_root${init}" ]; then
# Successfully mounted /new_root, but ${init} is missing
# The same logic as above applies
err "Root device mounted successfully, but ${init} does not exist."
echo "Bailing out, you are on your own. Good luck."
echo
launch_interactive_shell --exec
fi
swapped zimage [from stock reco]
added modules [from stock reco]
result=fail, continuous reboot, re-odin recovery
try again tomorrow [yawn] uploaded experiment, contains .img ramdisk.gz and zimage
okay upload fail, i'll try again tomorrow grrrr.
moonbutt74 said:
okay this is what i did today
swapped busybox [arm] for [x86]
added parted in bin
replaced symlink named mtab==>/proc/self/mounts with actual file
corrected [?] mmcblk,loop references in hooks/looproot
changed this in init to experiment [attempt to return to android if fail,] marked edit and commented
if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
#if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
# Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
# We fall back into a shell, but the shell has now PID 1
# This way, manual recovery is still possible.
init=/init
# err "Failed to mount the real root device." [edit]
# echo "Bailing out, you are on your own. Good luck." [edit]
# echo [edit]
# launch_interactive_shell --exec [edit]
elif [ ! -x "/new_root${init}" ]; then
# Successfully mounted /new_root, but ${init} is missing
# The same logic as above applies
err "Root device mounted successfully, but ${init} does not exist."
echo "Bailing out, you are on your own. Good luck."
echo
launch_interactive_shell --exec
fi
swapped zimage [from stock reco]
added modules [from stock reco]
result=fail, continuous reboot, re-odin recovery
try again tomorrow [yawn] uploaded experiment, contains .img ramdisk.gz and zimage
okay upload fail, i'll try again tomorrow grrrr.
Click to expand...
Click to collapse
hahaha i wish you good luck
thanks
FurFur_ said:
hahaha i wish you good luck
Click to expand...
Click to collapse
i've been through roughly 17 different experiments by now
but i'm too stupid to quit so we'll see :laugh:
---------- Post added at 10:46 PM ---------- Previous post was at 10:38 PM ----------
xkwr27 said:
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
Click to expand...
Click to collapse
so if i'm understanding this right the samsung bootloader [which we don't mess with....snicker]
is initiating the command which grabs the kernel and get's things rolling..?
even if i'm not right in the init.rc scripting language is there a means to repeat that process ===> initramfs,bzimage ?
Ok the 3 key combos tell the tablet what to do 1 is power only boots normal 2 is power + volume up boots recovery 3 is power + volume down boots to download mode (odin)... what offensive security did was rewrite the recovery.img so that instead of launching you to the normal recovery all it does is tells the tab to boot the kali img in /SdCard/ so if you just power up with combo 1 it should still boot normal and 3 should still put you in odin mode but 2 will tell the tab to boot kali instead so all we should need is busybox maybe , a x86 kali img and a recovery img similar to the offensive security one. That is why I'm working to pick this recovery.img apart.
hey
i flashed the image as is first ; mmcblk's dont matchup in hook/looproot ; corrected[?] them no dice
aside from zimage&module&busybox mixing and matching
i think something with the hooks is the stumper
this is the ramdisk, i wasn't sure if you were asking or me to crack the image open or not,
i was hoping you might have a handle on kernel command lines.
if it comes to kernel building/compiling i'm boned:crying:
if there's something you want me to try or test let me know. :good:
kernel command
no_console_suspend=1 console=null
xkwr27 said:
Ok the 3 key combos tell the tablet what to do 1 is power only boots normal 2 is power + volume up boots recovery 3 is power + volume down boots to download mode (odin)... what offensive security did was rewrite the recovery.img so that instead of launching you to the normal recovery all it does is tells the tab to boot the kali img in /SdCard/ so if you just power up with combo 1 it should still boot normal and 3 should still put you in odin mode but 2 will tell the tab to boot kali instead so all we should need is busybox maybe , a x86 kali img and a recovery img similar to the offensive security one. That is why I'm working to pick this recovery.img apart.
Click to expand...
Click to collapse
Mate that sounds very good I'm so busy with life nowadays Final year of school I don't know too much and I can't learn anything cause I have literally no time
I won't be posting too often Good luck with your project. Eager to see some success :fingers-crossed::good:
Santos10 Bootloader trace:
Code:
IA32 CPU Firmware
Copyright (C) 1999-2013, Intel Corporation. All rights reserved.
7[0;23r[24;75H[1K[24;1H[1mIntel(R) Atom(TM) Z2560 CPU FW 00.73 (INTELFDK)[0m8------------------------------>FOR Teewinot ONLY<-----------------------------
******************************************************************************
************** Customer release based on Rel 00.49 + TWN changes**************
**************** BZ=115220 Bypass time/date check for product ****************
****************** BZ=118523 Cold Reset on ExecuteOS failure *****************
****** BZ=124478[TW 346-500-676] Request for logging enhancement in IAFW *****
************* BZ=127192 Disable Active Refresh during JEDEC Init *************
******************* BZ=none include ucode patch M013065110E ******************
**************************** New in this code drop ***************************
***** BZ=none Changed trace to match TWN RAMDUMP application requirement *****
*************** BZ=none Removed UART and PTI HW output methods ***************
******** Short circuiting the emInit when a fixed battery is detected. *******
********************* Customization done 201308261512 MST ********************
******************************************************************************
[37;41m******************************INTEL CONFIDENTIAL******************************
[0m
0x1E, 0x20, 0x21,
ERROR:::::SPID Not Programmed, Fake data being used based on IFWI version
ERROR:::::SPID FRU Not Programmed, Fake data being used based on IFWI version
OSC_CLK3 defaults only
0x22,
OEM board; Skip spidBasedPanelNdxUpdate
0x23,
Forced Battery via SMIP FPO Bit 2
0x28, 0x2A, 0x2B, in csSFIDevsEntries, HW Id 0x0019
SFI Dev...PR3
in csSFIGpioEntries, HW Id 0x0019
SFIOEMBInit:tbl->spidTbl update
0x2C, 0x2D, 0x2F PostCodes Done
IA32 FW: CPU v000.073/00.49; SUPP v000.073/00.49; VH: 000.081/00.51
IA Timestamp: 2013.08.26:18.00 (INTELFDK)
SCU FW: ROM 177.000/B1.00; RT 033.046/21.2E
PUNIT FW: v160.064/A0.40
IFWI: v249.086/F9.56
PL: 0000010E
Config & PCB: OEM Platform, C, CLV+ B1, Samsung (01,00) SR 4Gb 1067 1GB
FHOB DW0/DW1: 00000104:00010140
I2C Expander: FFFFFFFC:0000000F
IA Options: 024020A1:00000000:03E00000:80005C00:00000101;1264
[OS HASH VERIFY] [EIST] [eMMC] [VALID BATT][WDT]
Loading OS...
pOsip = 1000000
-->OSIP verified
00000000 E0000000
[COLOR="Red"]Android COS path taken
E0000000 D303000A[/COLOR]
[COLOR="red"]Boot path override selected OS image 0[/COLOR] (OS Attribute 0x00, Reboot Reason 0x0A)
D303000A D303000A
Splash disabled in GCT
Splash display time: 2 ms
[COLOR="red"]-->Bootable OS image 0 found for requested type 2 [/COLOR](OSII attribute 0x00)
-->[COLOR="red"]Loading OS image 0 from eMMC block 0x00000032 to DRAM address 0x010FFE20[/COLOR]
-->Starting transfer of 0xA11 512-byte blocks to DRAM
-->Done loading OS Image to DRAM
-->platformConfigBuffer_pt.scuFhobDw0.osven != 0
-->osIndex: 0, Signed Image
OS image 0 PASSED verify
Booting COS
*********************************
Starting command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100
-
OSNIB.wakesrc = 0x3
OSNIB.RR = 0xA
Battery is high enough for normal boot
4166mV > 0mV
Ending command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100 androidboot.wakesrc=03 androidboot.mode=charger-
*********************************
WDT aka Timer7 setup
Warn Duration for Timer7: 00 seconds
Start Timer7 bit 0 -> 1: 00000000000000000000000000000000
[0;24r[24;1H[2KM
Calling OS entry point --> 0x01101000 ...
Using NEW OSHOB structure size = 176 bytes
OSNIB size = 32 bytes OEMNIB size = 64 bytes
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Watchdog Disabled!
usb is connected, skip to set uart path
__stmpe811_write : fail
MUIC: CONTROL1:0x00
MUIC: CONTROL1:0x00
MUIC: CONTROL2:0x3b
MUIC: CONTROL2:0x3b
[SCU_IPC_DEBUG] board ID: NOT_IDENTIFIED(8)
VERSION : 0xa501
mmc_read_ext_csd : ext_csd_rev = 0x7
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
!!!Enter 8 Bit mode.!!!
clt_mmc_init: mmc->capacity = 0x1d56000
[BOOT] RESETIRQ1=0x00 RESETIRQ2=0x00 (interrupt tree)
[BOOT] SCU_TR=0x00020013 IA_TR=0xffffffff (oshob)
[BOOT] RR=0x00 WD=0x00 ALARM=0x00 (osnib)
[BOOT] WAKESRC=0x03 RESETIRQ1=0x20 RESETIRQ2=0x00 (osnib)
Samsung S-Boot 4.0-1816966 for GT-P5200 (Nov 26 2013 - 01:43:08)
CLT(EVT 0.0) / 1024MB / 15020MB / Rev 8 / P5200XXUAMK8
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (159:0xc)
PARAM ENV VERSION: v1.0..
pressed_key = 0x1
clt_charger_init : [battery] using external charger init(3)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
[check_cable_type] : Output of USB Charger Detection 3
[max77693_init_charger] : attached device(0x02) : TA
clt_max77693_set_charger_state: chg_cnfg_02 (0x1f) -> (0x1f) -> (0x1f)
clt_max77693_set_charger_state: chg_cnfg_03 (0x00) -> (0x00) -> (0x00)
clt_max77693_set_charger_state: chg_cnfg_04 (0xdd) -> (0xdd) -> (0xdd)
clt_max77693_set_charger_state: chg_cnfg_09 (0x64) -> (0x64) -> (0x64)
set_charger_state : buck(1), chg(0), reg(0x04)
init_fuel_gauge: Start!!
[0] get_adc_battid() = 92
[1] get_adc_battid() = 92
[2] get_adc_battid() = 92
get_adc_battid() = 92
init_fuel_gauge: Battery type : SDI
init_fuel_gauge: Already initialized (0x32cd, SDI type)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
fuel_gauge_compensate_soc: Start!!
fuel_gauge_read_soc: SOC(73), data(0x491b)
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
calculate_table_soc: Get table SOC in case of charging!!
calculate_table_soc: i(1), vcell(4071), table_soc(88)
differ(15), table_soc(88), RepSOC(73)
clt_charger_init : cable_type(0x02)
set_charger_state : buck(1), chg(1), reg(0x05)
intel_scu_ipc_cmd_oemnib : done => 0x0
check_reboot_cmd: nCmd = 0 ... skip check_reboot_cmd
debug level = 0x4f4c
disable max77693 manual reset
clt_max77693_disable_manual_reset: set max77693 MANCTRL1 val = 0x4
clt_max77693_disable_manual_reset: read max77693 MANCTRL1 val = 0x4
disable PMIC cod off triggered by PWRBTN#: 6
do_keypad: 0x1
intel_scu_ipc_cmd_oemnib : done => 0x0
check_download: 0
Is_lpm_boot : boot-mode saved in param = 0
Is_lpm_boot : jig-on level = 0, ignore...
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
stat=0x1031f, adc=0x1f, chg=0x3, vbvolt=1, pinLevel=1
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
fuel_gauge_read_soc: SOC(73), data(0x491b)
check_low_battery : rb=0 jig=0
check_low_battery : v=4071 soc=73
skip check low battery
scr_draw_image: draw 'logo.jpg'...
read 'logo.jpg'(105420) completed.
<start_checksum:355>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:357>offset:6144, size:6296
<start_checksum:361>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:27
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
load_kernel: loading boot image from 106496..
total size : 8495104
pit_check_signature (BOOT) valid.
Set valid sign flag
if_ddi_data: succeeded. (159:0xc)
BOOT_MAGIC == ANDROID!
CMDLINE LENGTH = 538
CMDLINE = init=/init console=sec_log_buf kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=santos103g sec_debug.level=0 loglevel=0 androidboot.debug_level=0x4f4c vmalloc=256m [email protected] sec_bootfb=0x3f000000 lcd_panel_id=0 androidboot.revision=8 switch_sel=3 cordon=615d013e557994c8ad53b3325c31b124 connie=GT-P5200_OPEN_EUR_cf878c59e3c2eeb1cdb40863938b834d androidboot.emmc_checksum=3 androidboot.bootloader=P5200XXUAMK8 androidboot.serialno=4300b61fdc125000 snd_soc_core.pmdown_time=1000 jig=0
Bootstub: map SFI MMAP to e820 table
add mmap: 0x00000000 0x00098000 1
add mmap: 0x00100000 0x00580000 2
add mmap: 0x00680000 0x00680000 1
add mmap: 0x00d00000 0x00300000 2
add mmap: 0x01000000 0x35ff0000 1
add mmap: 0x36ff0000 0x0090d000 2
add mmap: 0x378fd400 0x00100000 2
add mmap: 0x379fd400 0x02602000 1
add mmap: 0x3a000000 0x02200000 2
add mmap: 0x3c200000 0x02d00000 1
add mmap: 0x3ef00000 0x00100000 2
add mmap: 0x3f000000 0x01000000 2
add mmap: 0xfec00000 0x00001000 2
add mmap: 0xfee00000 0x00001000 2
add mmap: 0xff000000 0x01000000 2
IMR6 start=0x3a000000 end=0x3c1fffff
new mmap: 0x3a000000 0x02200000 2
IMR7 start=0x00100000 end=0x0067ffff
new mmap: 0x00100000 0x00580000 2
Final E820 table:
e820: 0x00000000 0x00098000 1
e820: 0x00100000 0x00580000 2
e820: 0x00680000 0x00680000 1
e820: 0x00d00000 0x00300000 2
e820: 0x01000000 0x35ff0000 1
e820: 0x36ff0000 0x0090d000 2
e820: 0x378fd400 0x00100000 2
e820: 0x379fd400 0x02602000 1
e820: 0x3a000000 0x02200000 2
e820: 0x3c200000 0x02d00000 1
e820: 0x3ef00000 0x00100000 2
e820: 0x3f000000 0x01000000 2
e820: 0xfec00000 0x00001000 2
e820: 0xfee00000 0x00001000 2
e820: 0xff000000 0x01000000 2
Final mb_mmap table:
mb_mmap: 0x00000000 0x00098000 1
mb_mmap: 0x00100000 0x00580000 0
mb_mmap: 0x00680000 0x00680000 1
mb_mmap: 0x00d00000 0x00300000 0
mb_mmap: 0x01000000 0x35ff0000 1
mb_mmap: 0x36ff0000 0x0090d000 0
mb_mmap: 0x378fd400 0x00100000 0
mb_mmap: 0x379fd400 0x02602000 1
mb_mmap: 0x3a000000 0x02200000 0
mb_mmap: 0x3c200000 0x02d00000 1
mb_mmap: 0x3ef00000 0x00100000 0
mb_mmap: 0x3f000000 0x01000000 0
mb_mmap: 0xfec00000 0x00001000 0
mb_mmap: 0xfee00000 0x00001000 0
mb_mmap: 0xff000000 0x01000000 0
Using bzImage to boot
Relocating initramfs to high memory ...
usb is connected, skip to set uart path
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Jump to kernel 32bit entry ...0x05003c00
I check interesting rows by red color. But there is easy way: need to compile x86 binaries and inject some code to twrp recovery. After that Linux OS must load from any img or partition on internal or external SD. Manual for coding this: link. This method accept to boot any second linux-based OS from any defined partition. It's on Russian - use translator to read.
Santos10 partiton table:
Code:
major minor #blocks name
7 0 61362 loop0
7 1 7308 loop1
179 0 15380480 mmcblk0
179 1 3072 mmcblk0p1
179 2 20480 mmcblk0p2
179 3 16384 mmcblk0p3
179 4 2048 mmcblk0p4
179 5 2048 mmcblk0p5
179 6 358400 mmcblk0p6
179 7 4096 mmcblk0p7
179 8 2416640 mmcblk0p8
179 9 12337152 mmcblk0p9
259 0 20480 mmcblk0p10
259 1 20480 mmcblk0p11
259 2 20480 mmcblk0p12
259 3 102400 mmcblk0p13
259 4 4096 mmcblk0p14
259 5 4096 mmcblk0p15
259 6 4096 mmcblk0p16
259 7 12288 mmcblk0p17
259 8 2048 mmcblk0p18
259 9 2048 mmcblk0p19
259 10 1024 mmcblk0p20
259 11 8192 mmcblk0p21
179 40 8192 mmcblk0gp0
179 30 1 mmcblk0rpmb
[COLOR="Red"]179 20 4096 mmcblk0boot1[/COLOR]
[COLOR="red"]179 10 4096 mmcblk0boot0[/COLOR]
252 0 307200 zram0
179 50 1955840 mmcblk1
179 51 1954816 mmcblk1p1
253 0 61362 dm-0
253 1 7308 dm-1]
Look at the red text i marked. I think we already have dual boot bootloader by Samsung.
Angel_666 said:
Santos10 Bootloader trace:
Code:
IA32 CPU Firmware
Copyright (C) 1999-2013, Intel Corporation. All rights reserved.
7Intel(R) Atom(TM) Z2560 CPU FW 00.73 (INTELFDK)8------------------------------>FOR Teewinot ONLY<-----------------------------
******************************************************************************
************** Customer release based on Rel 00.49 + TWN changes**************
**************** BZ=115220 Bypass time/date check for product ****************
****************** BZ=118523 Cold Reset on ExecuteOS failure *****************
****** BZ=124478[TW 346-500-676] Request for logging enhancement in IAFW *****
************* BZ=127192 Disable Active Refresh during JEDEC Init *************
******************* BZ=none include ucode patch M013065110E ******************
**************************** New in this code drop ***************************
***** BZ=none Changed trace to match TWN RAMDUMP application requirement *****
*************** BZ=none Removed UART and PTI HW output methods ***************
******** Short circuiting the emInit when a fixed battery is detected. *******
********************* Customization done 201308261512 MST ********************
******************************************************************************
******************************INTEL CONFIDENTIAL******************************

0x1E, 0x20, 0x21,
ERROR:::::SPID Not Programmed, Fake data being used based on IFWI version
ERROR:::::SPID FRU Not Programmed, Fake data being used based on IFWI version
OSC_CLK3 defaults only
0x22,
OEM board; Skip spidBasedPanelNdxUpdate
0x23,
Forced Battery via SMIP FPO Bit 2
0x28, 0x2A, 0x2B, in csSFIDevsEntries, HW Id 0x0019
SFI Dev...PR3
in csSFIGpioEntries, HW Id 0x0019
SFIOEMBInit:tbl->spidTbl update
0x2C, 0x2D, 0x2F PostCodes Done
IA32 FW: CPU v000.073/00.49; SUPP v000.073/00.49; VH: 000.081/00.51
IA Timestamp: 2013.08.26:18.00 (INTELFDK)
SCU FW: ROM 177.000/B1.00; RT 033.046/21.2E
PUNIT FW: v160.064/A0.40
IFWI: v249.086/F9.56
PL: 0000010E
Config & PCB: OEM Platform, C, CLV+ B1, Samsung (01,00) SR 4Gb 1067 1GB
FHOB DW0/DW1: 00000104:00010140
I2C Expander: FFFFFFFC:0000000F
IA Options: 024020A1:00000000:03E00000:80005C00:00000101;1264
[OS HASH VERIFY] [EIST] [eMMC] [VALID BATT][WDT]
Loading OS...
pOsip = 1000000
-->OSIP verified
00000000 E0000000
[COLOR="Red"]Android COS path taken
E0000000 D303000A[/COLOR]
[COLOR="red"]Boot path override selected OS image 0[/COLOR] (OS Attribute 0x00, Reboot Reason 0x0A)
D303000A D303000A
Splash disabled in GCT
Splash display time: 2 ms
[COLOR="red"]-->Bootable OS image 0 found for requested type 2 [/COLOR](OSII attribute 0x00)
-->[COLOR="red"]Loading OS image 0 from eMMC block 0x00000032 to DRAM address 0x010FFE20[/COLOR]
-->Starting transfer of 0xA11 512-byte blocks to DRAM
-->Done loading OS Image to DRAM
-->platformConfigBuffer_pt.scuFhobDw0.osven != 0
-->osIndex: 0, Signed Image
OS image 0 PASSED verify
Booting COS
*********************************
Starting command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100
-
OSNIB.wakesrc = 0x3
OSNIB.RR = 0xA
Battery is high enough for normal boot
4166mV > 0mV
Ending command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100 androidboot.wakesrc=03 androidboot.mode=charger-
*********************************
WDT aka Timer7 setup
Warn Duration for Timer7: 00 seconds
Start Timer7 bit 0 -> 1: 00000000000000000000000000000000
M
Calling OS entry point --> 0x01101000 ...
Using NEW OSHOB structure size = 176 bytes
OSNIB size = 32 bytes OEMNIB size = 64 bytes
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Watchdog Disabled!
usb is connected, skip to set uart path
__stmpe811_write : fail
MUIC: CONTROL1:0x00
MUIC: CONTROL1:0x00
MUIC: CONTROL2:0x3b
MUIC: CONTROL2:0x3b
[SCU_IPC_DEBUG] board ID: NOT_IDENTIFIED(8)
VERSION : 0xa501
mmc_read_ext_csd : ext_csd_rev = 0x7
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
!!!Enter 8 Bit mode.!!!
clt_mmc_init: mmc->capacity = 0x1d56000
[BOOT] RESETIRQ1=0x00 RESETIRQ2=0x00 (interrupt tree)
[BOOT] SCU_TR=0x00020013 IA_TR=0xffffffff (oshob)
[BOOT] RR=0x00 WD=0x00 ALARM=0x00 (osnib)
[BOOT] WAKESRC=0x03 RESETIRQ1=0x20 RESETIRQ2=0x00 (osnib)
Samsung S-Boot 4.0-1816966 for GT-P5200 (Nov 26 2013 - 01:43:08)
CLT(EVT 0.0) / 1024MB / 15020MB / Rev 8 / P5200XXUAMK8
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (159:0xc)
PARAM ENV VERSION: v1.0..
pressed_key = 0x1
clt_charger_init : [battery] using external charger init(3)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
[check_cable_type] : Output of USB Charger Detection 3
[max77693_init_charger] : attached device(0x02) : TA
clt_max77693_set_charger_state: chg_cnfg_02 (0x1f) -> (0x1f) -> (0x1f)
clt_max77693_set_charger_state: chg_cnfg_03 (0x00) -> (0x00) -> (0x00)
clt_max77693_set_charger_state: chg_cnfg_04 (0xdd) -> (0xdd) -> (0xdd)
clt_max77693_set_charger_state: chg_cnfg_09 (0x64) -> (0x64) -> (0x64)
set_charger_state : buck(1), chg(0), reg(0x04)
init_fuel_gauge: Start!!
[0] get_adc_battid() = 92
[1] get_adc_battid() = 92
[2] get_adc_battid() = 92
get_adc_battid() = 92
init_fuel_gauge: Battery type : SDI
init_fuel_gauge: Already initialized (0x32cd, SDI type)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
fuel_gauge_compensate_soc: Start!!
fuel_gauge_read_soc: SOC(73), data(0x491b)
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
calculate_table_soc: Get table SOC in case of charging!!
calculate_table_soc: i(1), vcell(4071), table_soc(88)
differ(15), table_soc(88), RepSOC(73)
clt_charger_init : cable_type(0x02)
set_charger_state : buck(1), chg(1), reg(0x05)
intel_scu_ipc_cmd_oemnib : done => 0x0
check_reboot_cmd: nCmd = 0 ... skip check_reboot_cmd
debug level = 0x4f4c
disable max77693 manual reset
clt_max77693_disable_manual_reset: set max77693 MANCTRL1 val = 0x4
clt_max77693_disable_manual_reset: read max77693 MANCTRL1 val = 0x4
disable PMIC cod off triggered by PWRBTN#: 6
do_keypad: 0x1
intel_scu_ipc_cmd_oemnib : done => 0x0
check_download: 0
Is_lpm_boot : boot-mode saved in param = 0
Is_lpm_boot : jig-on level = 0, ignore...
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
stat=0x1031f, adc=0x1f, chg=0x3, vbvolt=1, pinLevel=1
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
fuel_gauge_read_soc: SOC(73), data(0x491b)
check_low_battery : rb=0 jig=0
check_low_battery : v=4071 soc=73
skip check low battery
scr_draw_image: draw 'logo.jpg'...
read 'logo.jpg'(105420) completed.
<start_checksum:355>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:357>offset:6144, size:6296
<start_checksum:361>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:27
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
load_kernel: loading boot image from 106496..
total size : 8495104
pit_check_signature (BOOT) valid.
Set valid sign flag
if_ddi_data: succeeded. (159:0xc)
BOOT_MAGIC == ANDROID!
CMDLINE LENGTH = 538
CMDLINE = init=/init console=sec_log_buf kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=santos103g sec_debug.level=0 loglevel=0 androidboot.debug_level=0x4f4c vmalloc=256m [email protected] sec_bootfb=0x3f000000 lcd_panel_id=0 androidboot.revision=8 switch_sel=3 cordon=615d013e557994c8ad53b3325c31b124 connie=GT-P5200_OPEN_EUR_cf878c59e3c2eeb1cdb40863938b834d androidboot.emmc_checksum=3 androidboot.bootloader=P5200XXUAMK8 androidboot.serialno=4300b61fdc125000 snd_soc_core.pmdown_time=1000 jig=0
Bootstub: map SFI MMAP to e820 table
add mmap: 0x00000000 0x00098000 1
add mmap: 0x00100000 0x00580000 2
add mmap: 0x00680000 0x00680000 1
add mmap: 0x00d00000 0x00300000 2
add mmap: 0x01000000 0x35ff0000 1
add mmap: 0x36ff0000 0x0090d000 2
add mmap: 0x378fd400 0x00100000 2
add mmap: 0x379fd400 0x02602000 1
add mmap: 0x3a000000 0x02200000 2
add mmap: 0x3c200000 0x02d00000 1
add mmap: 0x3ef00000 0x00100000 2
add mmap: 0x3f000000 0x01000000 2
add mmap: 0xfec00000 0x00001000 2
add mmap: 0xfee00000 0x00001000 2
add mmap: 0xff000000 0x01000000 2
IMR6 start=0x3a000000 end=0x3c1fffff
new mmap: 0x3a000000 0x02200000 2
IMR7 start=0x00100000 end=0x0067ffff
new mmap: 0x00100000 0x00580000 2
Final E820 table:
e820: 0x00000000 0x00098000 1
e820: 0x00100000 0x00580000 2
e820: 0x00680000 0x00680000 1
e820: 0x00d00000 0x00300000 2
e820: 0x01000000 0x35ff0000 1
e820: 0x36ff0000 0x0090d000 2
e820: 0x378fd400 0x00100000 2
e820: 0x379fd400 0x02602000 1
e820: 0x3a000000 0x02200000 2
e820: 0x3c200000 0x02d00000 1
e820: 0x3ef00000 0x00100000 2
e820: 0x3f000000 0x01000000 2
e820: 0xfec00000 0x00001000 2
e820: 0xfee00000 0x00001000 2
e820: 0xff000000 0x01000000 2
Final mb_mmap table:
mb_mmap: 0x00000000 0x00098000 1
mb_mmap: 0x00100000 0x00580000 0
mb_mmap: 0x00680000 0x00680000 1
mb_mmap: 0x00d00000 0x00300000 0
mb_mmap: 0x01000000 0x35ff0000 1
mb_mmap: 0x36ff0000 0x0090d000 0
mb_mmap: 0x378fd400 0x00100000 0
mb_mmap: 0x379fd400 0x02602000 1
mb_mmap: 0x3a000000 0x02200000 0
mb_mmap: 0x3c200000 0x02d00000 1
mb_mmap: 0x3ef00000 0x00100000 0
mb_mmap: 0x3f000000 0x01000000 0
mb_mmap: 0xfec00000 0x00001000 0
mb_mmap: 0xfee00000 0x00001000 0
mb_mmap: 0xff000000 0x01000000 0
Using bzImage to boot
Relocating initramfs to high memory ...
usb is connected, skip to set uart path
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Jump to kernel 32bit entry ...0x05003c00
I check interesting rows by red color. But there is easy way: need to compile x86 binaries an inject some code to twrp recovery. After that Linux OS must load from any img or partition on internal or external SD. Manual for coding this: link. It's on Russian - use translator to read.
Click to expand...
Click to collapse
Awesome work on that manual dude, now I have something to do while I'm at work bored... and we'll know what we can and can't remove/put in...
xkwr27 said:
Awesome work on that manual dude
Click to expand...
Click to collapse
If you mean manual on that site - it's not mine.
Post updated. Take a look at device partitions.

PartitioningTool.py fails on 1 kb partition

This is my partition table as generated by gdisk
Logical sector size: 512 bytes
Disk identifier (GUID): 98101B32-BBE2-4BF2-A06E-2BB33D000C20
Partition table holds up to 32 entries
First usable sector is 34, last usable sector is 15269854
Partitions will be aligned on 2-sector boundaries
Total free space is 313196 sectors (152.9 MiB)
Code:
# Name Start (sector) End (sector) Size Size (Sectors) Partition GUID Code
1 modem 131072 262143 64 MB 131072 EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
2 sbl1 262144 263167 512KiB 1024 DEA0BA2C-CBDD-4805-B4F9-F428251C3E98
3 sbl1bak 263168 264191 512KiB 1024 DEA0BA2C-CBDD-4805-B4F9-F428251C3E98
4 aboot 264192 266239 1024KiB 2048 400FFDCD-22E0-47E7-9A23-F16ED9382388
5 abootbak 266240 268287 1024KiB 2048 400FFDCD-22E0-47E7-9A23-F16ED9382388
6 rpm 268288 269311 512KiB 1024 098DF793-D712-413D-9D4E-89D711772228
7 rpmbak 269312 270335 512KiB 1024 098DF793-D712-413D-9D4E-89D711772228
8 tz 270336 271871 768KiB 1536 A053AA7F-40B8-4B1C-BA08-2F68AC71A4F4
9 tzbak 271872 273407 768KiB 1536 A053AA7F-40B8-4B1C-BA08-2F68AC71A4F4
10 pad 273408 275455 1024KiB 2048 EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
11 modemst1 275456 278527 1.5MiB 3072 EBBEADAF-22C9-E33B-8F5D-0E81686A68CB
12 modemst2 278528 281599 1.5MiB 3072 0A288B1F-22C9-E33B-8F5D-0E81686A68CB
13 misc 281600 283647 1024KiB 2048 82ACC91F-357C-4A68-9C8F-689E1B1A23A1
14 fsc 283648 283649 1024Bytes 2 57B90A16-22C9-E33B-8F5D-0E81686A68CB
15 ssd 283650 283665 8KiB 16 2C86E742-745E-4FDD-BFD8-B6A7AC638772
16 splash 283666 304145 10MiB 20480 20117F86-E985-4357-B9EE-374BC1D8487D
17 DDR 393216 393279 32KiB 64 20A0C19C-286A-42FA-9CE7-F64C3226A794
18 fsg 393280 396351 1.5MiB 3072 638FF8E2-22C9-E33B-8F5D-0E81686A68CB
19 sec 396352 396383 16KiB 32 303E6AC3-AF15-4C54-9E9B-D9A8FBECF401
20 boot 396384 461919 32MiB 65536 20117F86-E985-4357-B9EE-374BC1D8487D
21 system 461920 4557919 2GB 4096000 97D7B011-54DA-4835-B3C4-917AD6E73D74
22 persist 4557920 4623455 32MiB 65536 6C95E238-E343-4BA8-B489-8681ED22AD0B
23 apedata 4623456 4688991 32MiB 65536 6C95E238-E343-4BA8-B489-8681ED22AD0B
24 cache 4688992 5213279 256MiB 524288 5594C694-C871-4B5F-90B1-690A6F68E0F7
25 recovery 5213280 5278815 32MiB 65536 9D72D4E4-9958-42DA-AC26-BEA7A90B0434
26 devinfo 5278816 5280863 1024KiB 2048 1B81E7E6-F50D-419B-A739-2AEEF8DA3335
27 keystore 5373952 5374975 512KiB 1024 DE7D4029-0F5B-41C8-AE7E-F6C023A02B33
28 oem 5374976 5506047 64MiB 131072 7DB6AC55-ECB5-4E02-80DA-4D335B973332
29 config 5506048 5507071 512KiB 1024 91B72D4D-71E0-4CBF-9B8E-236381CFF17A
30 userdata 5507072 15269854 4.7GiB 9762783 1B81E7E6-F50D-419B-A739-2AEEF8DA3335
My version of the tool is this
Code:
!/usr/bin/python
#===========================================================================
# This script parses "partition.xml" and creates numerous output files
# specifically, partition.bin, rawprogram.xml
# REFERENCES
# $Header: //source/qcom/qct/core/pkg/bootloaders/rel/1.2/boot_images/core/storage/tools/jsdcc/partition_load_pt/PartitioningTool.py#2 $
# $DateTime: 2012/01/12 16:00:13 $
# $Author: coresvc $
# when who what, where, why
# -------- --- -------------------------------------------------------
# 2011-03-22 ah rawprogram for GPT for 'grow' partition, since mjsdload.cmm couldn't handle big number
# 2011-03-22 ah Corrected final disk size patch (off by 1 sector), corrected GPT labels (uni-code)
# 2011-03-18 ah Fixed default bug for DISK_SIGNATURE, align_wpb -> align
# 2011-03-16 ah New DISK_SIGNATURE tag added for MBR partitions, Split partition0.bin into
# MBR0.bin and EBR0.bin, Corrected bug in backup GPT DISK patching
# 2011-03-10 ah Removes loadpt.cmm, splits partition0.bin to MBR0.bin, EBR0.bin
# 2011-03-09 ah Much more error checking, cleaner, adds "align_wpb" tag
# 2011-02-14 ah Added patching of DISK for GPT
# 2011-02-02 ah Allow MBR Type to be specified as "4C" or "0x4C"
# 2011-25-01 ah Outputs "patch.xml" as well, allows more optimal partition alignment
# 2010-12-01 ah Matching QPST, all EXT partitions 64MB aligned (configurable actually)
# More error checking, Removed CHS option, GPT output is 2 files (primary and backup)
# 2010-10-26 ah better error checking, corrected typo on physical_partition for > 0
# 2010-10-25 ah adds GPT, CFILE output, various other features
# 2010-10-08 ah released to remove compile errors of missing PERL script modules
I am purposely trying to keep my fsc partition to 1kb. I can make the change in my xml file to 2kb and the tool will continue. If I leave it at 1kb it will error out. Anyone else have this issue?
Should have held off asking. Once I found a newer version of the tool that issue is solved. Case closed.

{WIP} N950U Bootloader Unlocking (Build) / EDL Rom / SD-Card Booting {msm8998}

I think it's time to get this party started.
There is hope ->> Initial Analysis​
I have built a spreadsheet that takes a hexdump of the GPT tables and decodes them.
This provides the means of generating the Partition.xml and Rawprogram.xml.
Also one can learn alot by analyzing the GPT.
With the ability to generate the partition.xml it can then be converted to partitions.txt that the Dragon-Board db_boot_tools (mksdcard) can be used to burn the SD Card.
The ability to build the rawprogram.xml also provides us the opportunity to build EDL roms and flash them using the emmcdl.exe or the QDL download tool for dragonboard.
This means we can build unbrick roms / anything we want and flash it in edl mode unrestricted.
Currently there is available the Factory Samsung EDL Recovery Files for Boot Loader Rev 2.
https://www.needrom.com/download/unbrick-samsung-qualcom-9008-files/
I have looked at them and they are legitimate.
Analyzing the GPT tables included in the EDL package I can determine that these are Standard Qualcomm Bootloaders that operate on a Standard QC partition table.
My theory is that being standard Qualcomm Images the bootloader is unlockable by standard Qualcomm method.
The board_info partition. As seen here.
https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
Another great resource is everything for the dragonboard 820c. Its the same chipset.
A ton of available source code is at our disposal.
In a nutshell because i dont have a lot of time to get into details at the moment.
I ran my first SD Card Test.
Simply burned the Dragonboard 820c SD Rescue image to a sd card.
https://www.96boards.org/documentat...board820c/installation/board-recovery.md.html
To my surprise if you insert this SD Card into the device and boot into download mode.
You will see FRP=OFF.
This proves my theory that the possibility of booting a full system on a sd card is real.
The sd card is read early in the boot chain.
I have to investigate and see exactly how this is setting frp off.
This partition table has the FRP partition.
The note 8 uses the persist partition for the frp switch.
So how the sd card is turing FRP off is the question I am working on answering at the moment.
I can conclude.
The device is definitely reading partitions off the SD Card.
It is beating the FRP lock out of the box.
This means either the stock bootloaders have functionality built in to look for the FRP partition that normally is not present on our devices. Meaning the stock bootloaders can read other partitions of the sd card.
Or somewhere in the boot chain one or more of the dragonboard bootloaders are executing off the sd card.
If that is the case Hope is very Great for us. Dragonboard has available the LK source code that we can modify and build.
Dragonboard also has pre-compiled bootloaders specifically for booting on sd card that we can use.
Also the samsung bootloaders in the EDL files are very promising.
If we can build the aosp system to go with the edl bootloaders ( If they are unlockable ) were golden.
If the Dragonboard Bootloaders are executing on the sd card were even more golden.
If this is the case we can even use the dragonboard 820c AOSP build ( includes sources )
All we really should need to change would relate to hardware differences.
Seems crazy but there is no rational explanation as to how the sd card turns FRP off other than the possibility of somewhere in the boot chain the drangonboard BL is executed on the sdcard.
Unless like i said the samsung bootloaders have the stock qualcomm functionality as well.
Either way you look at it. We defeated the FRP protection by flashing a sdcard and booting with the sdcard in the device. That is enough proof in itself that there is hope.
It would be superb if some of the other Samsung Devs, Like the samfail team would climb on board to work on some of this. I am very skilled in some aspects and in other aspects i could use some help.
Either way give me a couple months and we will be there.
My only question is has anyone ever been actually paid by Samsung for finding Exploits?
From what ive read on there site it says $200,000 K or more for a bootloader unlock.
Makes me wonder if I should be sharing this information with anyone.
But money aside...thats what samsung wants. There using greed against us. They don't want us to work together.
I will be getting into some very deep presentations of my work as time provides.
That way the community can learn and help on this exciting journey.
Damm I still can't believe it turned FRP off. :silly:
Just goes to show ya. Don't doubt it till you try it no matter how far out it may seem. :highfive:
Always follow A String Theory
No pun intended.
A lot can be determined by running the strings command on a elf file. It's sorta google for developers.
Lets take a quick Look.
From the xbl.elf in the edl package.
This is our boot sequence.
SEC Image Loaded, Delta
XBLRamDump Image Loaded, Delta
PMIC Image Loaded, Delta
APDP Image Loaded, Delta
QSEE Dev Config Image Loaded, Delta
QSEE Image Loaded, Delta
QHEE Image Loaded, Delta
RPM Image Loaded, Delta
STI Image Loaded, Delta
ABL Image Loaded, Delta
APPSBL Image Loaded, Delta
DDR Training Image Loaded, Delta
What can we boot from.
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/QcomPkg/XBLLoader/boot_pbl_v2.c
PBL, Start
bootable_media_detect_entry, Start
bootable_media_detect_success, Start
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/QcomPkg/XBLLoader/boot_hash.c
DDR Frequency, %d MHz
PBL Patch Ver: %d
Core 0 Frequency, %d MHz
Boot Interface:
NAND
eMMC
SDCARD
None
Unknown
Locked or Unlocked
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/QcomPkg/XBLLoader/boot_logger.c
Secure Boot:
%s @ 0x%08x = 0x%016llx
%s @ 0x%08x = 0x%08x
Boot Config
JTAG ID
OEM ID
Serial Number
OEM Config Row 0
OEM Config Row 1
Feature Config Row 0
Feature Config Row 1
Raw PTE Row 3
Raw PTE Row 0
Load addresses. Re-Base if you have an IDA.
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/Build/Msm8998LA_Core/RELEASE_CLANG38LINUX/AARCH64/QcomPkg/XBLCore/XBLCore/DEBUG/Sec.dll
[Config]
Version = 3
MaxMemoryRegions = 64
[MemoryMap]
# EFI_RESOURCE_ EFI_RESOURCE_ATTRIBUTE_ EFI_MEMORY_TYPE ARM_REGION_ATTRIBUTE_
#MemBase, MemSize, MemLabel(32 Char.), BuildHob, ResourceType, ResourceAttribute, MemoryType, CacheAttributes
#--------------------- DDR -----
0x80000000, 0x05800000, "Kernel", AddMem, SYS_MEM, SYS_MEM_CAP, Reserv, WRITE_BACK_XN
0x86000000, 0x00200000, "SMEM", AddMem, MEM_RES, UNCACHEABLE, Reserv, UNCACHED_UNBUFFERED_XN
0x94000000, 0x09400000, "DXE Heap", AddMem, SYS_MEM, SYS_MEM_CAP, Conv, WRITE_BACK_XN
0x9D400000, 0x02400000, "Display Reserved", AddMem, MEM_RES, SYS_MEM_CAP, MaxMem, WRITE_BACK_XN
0x9F800000, 0x00200000, "FV Region", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FA00000, 0x00200000, "ABOOT FV", AddMem, SYS_MEM, SYS_MEM_CAP, Reserv, WRITE_BACK_XN
0x9FC00000, 0x00300000, "UEFI FD", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK
0x9FF00000, 0x0008C000, "SEC Heap", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FF8C000, 0x00001000, "CPU Vectors", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK
0x9FF8D000, 0x00003000, "MMU PageTables", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FF90000, 0x00040000, "UEFI Stack", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FFD0000, 0x00027000, "DBI Dump", AddMem, SYS_MEM, SYS_MEM_CAP, RtData, WRITE_BACK_XN
0x9FFF7000, 0x00008000, "Log Buffer", AddMem, SYS_MEM, SYS_MEM_CAP, RtData, WRITE_BACK_XN
0x9FFFF000, 0x00001000, "Info Blk", AddMem, SYS_MEM, SYS_MEM_CAP, RtData, WRITE_BACK_XN
[RegisterMap]
#--------------------- Other -----
0x14680000, 0x00040000, "IMEM Base", NoHob, MMAP_IO, INITIALIZED, Conv, NS_DEVICE
0x146BF000, 0x00001000, "IMEM Cookie Base", AddDev, MMAP_IO, INITIALIZED, Conv, NS_DEVICE
0x16000000, 0x01000000, "QDSS_STM", AddDev, MMAP_IO, INITIALIZED, Conv, NS_DEVICE
#--------------------- Register --
0x00620000, 0x00020000, "UFS_RUMI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00070000, 0x00010000, "BOOT_CONFIG", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00100000, 0x000B0000, "GCC CLK CTL", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00778000, 0x00008000, "RPM MSG RAM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00780000, 0x00007000, "SECURITY CONTROL", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00790000, 0x00010000, "PRNG_CFG_PRNG", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010A3000, 0x00001000, "MPM2_SLP_CNTR", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AA000, 0x00001000, "MPM2_TSENS0", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AB000, 0x00001000, "MPM2_TSENS0_TM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AC000, 0x00001000, "MPM2_PSHOLD", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AD000, 0x00001000, "MPM2_TSENS1", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AE000, 0x00001000, "MPM2_TSENS1_TM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01C00000, 0x00007000, "PCIE WRAPPER AHB", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01DA0000, 0x00020000, "UFS UFS REGS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01DC0000, 0x00040000, "CRYPTO0 CRYPTO", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01FC0000, 0x00026000, "TCSR_TCSR_REGS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x03400000, 0x00C00000, "TLMM CSR", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x08000000, 0x02800000, "PMIC ARB SPMI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x05065000, 0x00009000, "GPUCC", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x06000000, 0x00100000, "QDSS_QDSS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x06400000, 0x00200000, "HMSS_QLL", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0A800000, 0x0011B000, "USB30_PRIM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0A920000, 0x00010000, "USB_RUMI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0C000000, 0x00200000, "PERIPH_SS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0C800000, 0x00800000, "MMSS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17900000, 0x00030000, "QTIMER", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17A00000, 0x00010000, "APCS_GIC500_GICD", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17B00000, 0x00100000, "APCS_GIC500_GICR", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17800000, 0x00100000, "APCS_CC", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x1B000000, 0x01000000, "PCIE WRAPPER AXI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0502A000, 0x00002000, "GPMU_BLOCK0", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x05026000, 0x00002000, "GPMU_DRAM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x05030000, 0x00002000, "GPU_ISENSE", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
[ConfigParameters]
# Update count if more than default 30 entries #
ConfigParameterCount = 52
So at a minimum we can see that this bootloader can boot from sd-card. The address table shows where things are loading in memory. This is good for disassembling the elf files.
I really think the sd card can get us a way in.
The Goal
In the end this is the boot sequence we would like to see.
If you looked at the strings in the previous post you will recognize some of the information here.
================================================================================
Successful boot sequence
================================================================================
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.0-00301
S - IMAGE_VARIANT_STRING=M8996LAB
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu68
S - Boot Interface: UFS
S - Secure Boot: Off
S - Boot Config @ 0x00076044 = 0x000001c9
S - JTAG ID @ 0x000760f4 = 0x4003e0e1
S - OEM ID @ 0x000760f8 = 0x00000000
S - Serial Number @ 0x00074138 = 0x2e8844ce
S - OEM Config Row 0 @ 0x00074188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x00074190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000741a0 = 0x0050000010000100
S - Feature Config Row 1 @ 0x000741a8 = 0x00fff00001ffffff
S - Core 0 Frequency, 1228 MHz
B - 0 - PBL, Start
B - 10412 - bootable_media_detect_entry, Start
B - 47480 - bootable_media_detect_success, Start
B - 47481 - elf_loader_entry, Start
B - 49027 - auth_hash_seg_entry, Start
B - 49129 - auth_hash_seg_exit, Start
B - 82403 - elf_segs_hash_verify_entry, Start
B - 84905 - PBL, End
B - 86955 - SBL1, Start
B - 182969 - usb: hs_phy_nondrive_start
B - 183305 - usb: PLL lock success - 0x3
B - 186294 - usb: hs_phy_nondrive_finish
B - 190442 - boot_flash_init, Start
D - 30 - boot_flash_init, Delta
B - 197548 - sbl1_ddr_set_default_params, Start
D - 30 - sbl1_ddr_set_default_params, Delta
B - 205509 - boot_config_data_table_init, Start
D - 200659 - boot_config_data_table_init, Delta - (60 Bytes)
B - 410713 - CDT Version:3,Platform ID:24,Major ID:1,Minor ID:0,Subtype:0
B - 415410 - Image Load, Start
D - 22570 - PMIC Image Loaded, Delta - (37272 Bytes)
B - 437980 - pm_device_init, Start
B - 443744 - PON REASONM0:0x200000061 PM1:0x200000021
B - 480161 - PM_SET_VAL:Skip
D - 40016 - pm_device_init, Delta
B - 482083 - pm_driver_init, Start
D - 2928 - pm_driver_init, Delta
B - 488671 - pm_sbl_chg_init, Start
D - 91 - pm_sbl_chg_init, Delta
B - 495442 - vsense_init, Start
D - 0 - vsense_init, Delta
B - 505171 - Pre_DDR_clock_init, Start
D - 396 - Pre_DDR_clock_init, Delta
B - 509045 - ddr_initialize_device, Start
B - 512766 - 8996 v3.x detected, Max frequency = 1.8 GHz
B - 522373 - ddr_initialize_device, Delta
B - 522404 - DDR ID, Rank 0, Rank 1, 0x6, 0x300, 0x300
B - 526247 - Basic DDR tests done
B - 594994 - clock_init, Start
D - 274 - clock_init, Delta
B - 598349 - Image Load, Start
D - 4331 - QSEE Dev Config Image Loaded, Delta - (46008 Bytes)
B - 603808 - Image Load, Start
D - 5338 - APDP Image Loaded, Delta - (0 Bytes)
B - 612409 - usb: UFS Serial - 2f490ecf
B - 616801 - usb: fedl, vbus_low
B - 620431 - Image Load, Start
D - 55418 - QSEE Image Loaded, Delta - (1640572 Bytes)
B - 675849 - Image Load, Start
D - 2013 - SEC Image Loaded, Delta - (4096 Bytes)
B - 683413 - sbl1_efs_handle_cookies, Start
D - 457 - sbl1_efs_handle_cookies, Delta
B - 691892 - Image Load, Start
D - 14396 - QHEE Image Loaded, Delta - (254184 Bytes)
B - 706319 - Image Load, Start
D - 14061 - RPM Image Loaded, Delta - (223900 Bytes)
B - 721111 - Image Load, Start
D - 3233 - STI Image Loaded, Delta - (0 Bytes)
B - 727913 - Image Load, Start
D - 34709 - APPSBL Image Loaded, Delta - (748716 Bytes)
B - 762713 - SBL1, End
D - 680028 - SBL1, Delta
S - Flash Throughput, 94000 KB/s (2959024 Bytes, 31250 us)
S - DDR Frequency, 1017 MHz
Android Bootloader - UART_DM Initialized!!!
[0] BUILD_VERSION=
[0] BUILD_DATE=16:07:51 - Nov 17 2017
[0] welcome to lk
[10] platform_init()
[10] target_init()
[10] RPM GLink Init
[10] Opening RPM Glink Port success
[10] Opening SSR Glink Port success
[20] Glink Connection between APPS and RPM established
[20] Glink Connection between APPS and RPM established
[40] UFS init success
[80] Qseecom Init Done in Appsbl
[80] secure app region addr=0x86600000 size=0x2200000[90] TZ App region notif returned with status:0 addr:86600000 size:35651584
[100] TZ App log region register returned with status:0 addr:916d4000 size:4096
[100] Qseecom TZ Init Done in Appsbl
[120] Loading cmnlib done
[120] qseecom_start_app: Loading app keymaster for the first time
[150] <8>keymaster: ""KEYMASTER Init ""
[160] Selected panel: none
Skip panel configuration
[160] pm8x41_get_is_cold_boot: cold boot
[170] boot_verifier: Device is in ORANGE boot state.
[180] Device is unlocked! Skipping verification...
[180] Loading (boot) image (348160): start
[190] Loading (boot) image (348160): done
[190] use_signed_kernel=1, is_unlocked=1, is_tampered=0.
[200] Your device has been unlocked and cant be trusted.
Wait for 5 seconds before proceeding
[5200] mdtp: mdtp_img loaded
[5210] mdtp: is_test_mode: test mode is set to 1
[5210] mdtp: read_metadata: SUCCESS
[5230] LK SEC APP Handle: 0x1
[5230] Return value from recv_data: 14
[5240] Return value from recv_data: 14
[5250] Return value from recv_data: 14
[5260] DTB Total entry: 1, DTB version: 3
[5260] Using DTB entry 0x00000123/00000000/0x00000018/0 for device 0x00000123/00030001/0x00010018/0
[5270] cmdline: androidboot.bootdevice=624000.ufshc androidboot.verifiedbootstate=orange androidboot.veritymode=enforcing androidboot.serialno=2f490ecf androidboot.baseband=apq mdss_mdp.panel=0
[5290] Updating device tree: start
[5290] Updating device tree: done
[5290] Return value from recv_data: 14
[5300] RPM GLINK UnInit
[5300] Qseecom De-Init Done in Appsbl
[5300] booting linux @ 0x80080000, ramdisk @ 0x82200000 (0), tags/device tree @ 0x82000000
[5310] Jumping to kernel via monitor
U-Boot 2017.11-00145-ge895117 (Nov 29 2017 - 10:04:06 +0100)
Qualcomm-DragonBoard 820C
DRAM: 3 GiB
PSCI: v1.0
MMC: [email protected]: 0
In: [email protected]
Out: [email protected]
Err: [email protected]
Net: Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot: 0
switch to partitions #0, OK
mmc0 is current device
Scanning mmc 0:1...
Found /extlinux/extlinux.conf
Retrieving file: /extlinux/extlinux.conf
433 bytes read in 71 ms (5.9 KiB/s)
1: nfs root
Retrieving file: /uImage
19397184 bytes read in 2024 ms (9.1 MiB/s)
append: root=/dev/nfs rw nfsroot=192.168.1.2:/db820c/rootfs,v3,tcp rootwait ip=dhcp consoleblank=0 console=tty0 console=ttyMSM0,115200n8 earlyprintk earlycon=msm_serial_dm,0x75b0000 androidboot.bootdevice=624000.ufshc androidboot.verifiedbootstate=orange androidboot.ver0
Retrieving file: /apq8096-db820c.dtb
38134 bytes read in 37 ms (1005.9 KiB/s)
## Booting kernel from Legacy Image at 95000000 ...
Image Name: Dragonboard820c
Image Type: AArch64 Linux Kernel Image (uncompressed)
Data Size: 19397120 Bytes = 18.5 MiB
Load Address: 80080000
Entry Point: 80080000
Specifically what we want to accomplish.
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.0-00301
S - IMAGE_VARIANT_STRING=M8996LAB
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu68
S - Boot Interface: UFS
S - Secure Boot: Off
S - Boot Config @ 0x00076044 = 0x000001c9
S - JTAG ID @ 0x000760f4 = 0x4003e0e1
S - OEM ID @ 0x000760f8 = 0x00000000
S - Serial Number @ 0x00074138 = 0x2e8844ce
S - OEM Config Row 0 @ 0x00074188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x00074190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000741a0 = 0x0050000010000100
S - Feature Config Row 1 @ 0x000741a8 = 0x00fff00001ffffff
S - Core 0 Frequency, 1228 MHz
B - 0 - PBL, Start
B - 10412 - bootable_media_detect_entry, Start
B - 47480 - bootable_media_detect_success, Start
If we can set this the bootloader is unlocked.
Boot Config @ 0x00076044 = 0x000001c9
From our xbl.elf strings.
Secure Boot:
%s @ 0x%08x = 0x%016llx
%s @ 0x%08x = 0x%08x
Boot Config
JTAG ID
OEM ID
Serial Number
OEM Config Row 0
OEM Config Row 1
Feature Config Row 0
Feature Config Row 1
0x00070000, 0x00010000, "BOOT_CONFIG", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
BigCountry907 said:
This partition table has the FRP partition.
Click to expand...
Click to collapse
The actual FRP partition in this SD recovery image is empty. And so are a bunch of other ones; they all seem to be blanked out with 00s. Maybe they are used for mounting the images? But in that case, what would be responsible for mounting them? I think one of the partitions that actually has an ELF header might be worth looking at.
The sdcard image is for the dragonboard to boot into fastboot mode.
So you are correct. Most of the partitions are empty.
The bootloaders are present on the sdcard.
I havent determined if they are running or not.
The only byte that matters on the FRP partition is the last byte.
00 = FRP Lock Off
01= FRP Lock On.
If you install Liveboot then the log files on bootup are saved.
Looking in that log I can see the sdcard partitions are being mounted.
If you
cat /proc/mounts
You will see many are mounted.
This was just an initial test to see if the sd card would get read on boot.
It does so now im working on building a card with the V2 samfail installed.
My hope is to boot a full system off of the sdcard.
Then development can be done without touching the UFS.
If we can get the bootloaders to run off the sdcard as well this will open a huge door for us.
I will let you know how it goes with my next test.
The thing that is significant thus far is the fact that booting with the sdcard IS SETTING frp LOCK TO OFF.
The normal Samsung Note 8 partition scheme uses Persist and Persistent partition for setting the FRP on or off.
If both persist and persistent are ZERO then FRP = off.
So the stock bootloader will read partitions that are (whitelisted) and verified to be Qualcomm Unique GUID Type.
Possibly even boot a bootloader that is not signed by Samsung but signed by Qualcomm.
If Qualcomm signed bootloaders will run then we can actually compile sign and boot our own bootloader.
Here is how.
https://www.96boards.org/documentation/consumer/dragonboard/dragonboard820c/guides/
Building the SD rescue image
The scripts to build the SD rescue image can be found here:
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader-dragonboard820c.yaml,
where we defined the script parameters and variables
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader/dragonboard820c/builders.sh:
where the actual commands are being executed.
Same Chip so we can use the source code.
I will attach here the first revision of my GPT Decoder Spreadsheet.
It takes the GPT which is the UFS Partition Table and decodes it.
Once the GPT is decoded we can use it to make the following.
Rawprogram.xml >> used for flashing in EDL Mode like emmcdl.exe or dragonboard "QDL"
Partition.xml >> used for making GPT files and the Rawprogram.xml and is used by qualcomm tools like Ptool.py Msp.py ext.
Partitions.txt >> used for flashing sd cards or writable devices using mksdcard script.
So essentially the GPT is the foundation of everything. The GPT is what the samsung .PIT files write.
You can pull the GPT off the device using the shell.
Here are the commands.
The MAIN GPT. Tables
The main GPT is the first 24kb of each device block on the UFS (ie sda, sdb, sdc, sdd)
Code:
adb shell
su
dd if=/dev/block/sda of=/sdcard/gpt_main0.bin bs=1024 count=24
dd if=/dev/block/sdb of=/sdcard/gpt_main1.bin bs=1024 count=24
dd if=/dev/block/sdc of=/sdcard/gpt_main2.bin bs=1024 count=24
dd if=/dev/block/sdd of=/sdcard/gpt_main3.bin bs=1024 count=24
The BACKUP GPT. Tables
The backup GPT is the last 20kb of each device block on the UFS (ie sda, sdb, sdc, sdd)
So the start address of the backup gpt is total size in kb of disk - 20kb.
To get the skip= number you have to take the total kb of the disk and subtract 20 kb from it.
This is for the U2 bootloader.
Code:
adb shell
su
dd if=/dev/block/sda of=/sdcard/backup-sda-gpt.bin bs=1 skip=63916978176
dd if=/dev/block/sdb of=/sdcard/backup-sdb-gpt.bin bs=1 skip=4173824
dd if=/dev/block/sdc of=/sdcard/backup-sdc-gpt.bin bs=1 skip=4173824
dd if=/dev/block/sdd of=/sdcard/backup-sdd-gpt.bin bs=1 skip=62894080
We will be needing someone to pull the GPT tables from all the bootloader versions except for U2.
I am on U2 and this spreadsheet is for U2.
I will need the other GPT tables to build the unbrick for other bootloader versions.
Look at the spreadsheet and the different sheets in it.
You will get an Idea of how it works.
I use formulas and link to the pasted GPT tables to decode them.
This spreadsheet still needs work so some of the data is manually edited at this time.
But for U2 bootloader rev this spreadsheet is correct.
Use open office to use or look at this spreadsheet. << ITS FREE
Use 7z to unzip the files
NEW possibly very Exciting Discovery.
Don't get too excited because i need to verify but from what i see.
In the AP_N950USQS2BQK2_CL12461033_QB15680825_REV00_user_low_ship_MULTI_CERT_meta
There is a folder called meta-data.
In that folder there is a password protected zip called FOTA.
The password is fotatest1234
I see everything in there is to sign files.
Now what im thinking is related to my first ever android hack several years back.
By generating my own .pk8 and .pem keypair I figured out how to dump the publick key into the keyform used to verify the signature of ota zip packages to flash in a stock recovery.
By taking the key dump and replacing it in the recovery /res/keys.
The group of files in the above mentioned zip file is for signing packages and boot and recovery image.
I believe if I can find where the publick half of the keypair for verifying the boot signature I can replace it and sign my boot and recovery with my own keys. The bootloader still verifies the signature but it passes because its verifying my public half of the keypair against a file signed by my keypair.
I might know already where the certificate is. I need to pull out a old tool.
I wrote this shell script years ago for this very purpose. I think its broken slightly. I was working on it and never finished.
But if you know shell code the errors are easy enough to fix.
The setup will work. Its posted here.
https://drive.google.com/file/d/0B8jitdIyh2NtMHo4Q1ZLbFk3aEE/view
There are a couple of threads I wrote about it.
https://androidforums.com/threads/root-rom-recovery-r-d.975147/
Quick Ho to
make a folder in the home dir called auto-key
unzip the file in there
Signing the zip will work with this.
Just use the keys i sent along in the package.
Only thing is if the recovery.img is alot newer you might have to use the new boot tools.
I havent written them in the software yet.
Under the folder boot in auto-key
Put your recovery.img in the boot folder
cd ~/auto-key/boot
type
./mkboot recovery.img new-ramdisk
that will unpack the recovery.
open the new-ramdisk folder
go to /res in the new-ramdisk
there is a file called keys
delete it
go to the the keys folder in auto-key
~./auto-key2/keys/factorykey/res/e-0x3
copy the keys file to the
new-ramdisk/res folder
cd
cd ~/auto-key/boot
type
./mkboot new-ramdisk patched-recovery.img
it will repack the recovery
Then you have to flash patched-recovery.img to the recovery mmcblk of your device.
You will have to use the dd command in adb if you can.
Not sure what type of access you have with the bootloop.
example command may work for you
just make sure that the patched-recovery.img is in the dir that shell is cd to.
then type
adb push patched-recovery.img /storage/sdcard0
or
adb push patched-recovery.img /storage/sdcard1
whichever one is your sd card.
then type
adb shell
su
dd if=/storage/sdcard0/patched-recovery.img of=/dev/block/mmcblk0p?? "make after the p your correct partition for recovery"
To sign files put them in the tosign folder in the auto-key folder
only 1 file ata a time can be in that folder
run akey.sh
select sign files
select option 1 in the sign files menu.
You will find the signed zip in /auto-key/output.
If you need more help let me know
Now Im not saying do all of that. But im saying Im pretty sure I might be able to use this same process to self sign our boot and recovery images. Then we don't need a bootloader unlock.
Our custom boot and recovery will be certified samsung official.
Just a lot to work on now. The sdcard and now the signing project.
Now were starting to have some real fun.
Sorry to be off topic i hope the sanfail team is on board with u
One more writeup about the recovery signature hack
What happens is that the stock recovery checks the public part of the key pair against a file in the recovery.img ram disk. Usually /res/keys. You can locate this call in one of the recovery log files located in the /cache. When you get your device the /res/keys that is in the ramdisk is generated by the manufacture keyset therefore limiting the update.zip to be signed with the manufacturer keys.
So I have tested and found a way to change that. Like I said I have tested and it works. If you pull your stock recovery image or get it from a factory update.
Take that recovery.img and split it into the seperate kernel and ramdisk.
Extract or mount the ramdisk -cpio.
Generate your own set of private keys using the same public exponent as the factory rom.
Example and probably most common: Exponent: 3 (0x3)
Example: Releasekey.x509.pem and Releaseke.pk8 generated with Exponent: 3 (0x3)
Take the new keys and use DumpPublicKey.jar to create a new keys file.
Replace the /res/keys file with the one created from your keys.
Repack the ramdisk.
Repack the recovery.img using the correct offsets.
Either flash the new recovery.img to the device or use fastboot to boot it.
Example: fastboot boot recovery.img
Now take an update.zip and edit the updaterscript so that it will fail at an assert / unless you actually want to flash the update.
Sign the update zip using your .x509.pem and .pk8 keypair. You have to use the signapk.jar with the -w option else it wont work.
It will pass the signature verification of the recovery for sure.
We just did the same thing that the manufacturer does with there keys.
I dont anticipate any problems with the bootloader because the new recovery.img is identical to the original recovery.img except for the /res/key is your key.
The boot loader isn't checking that key "that i know of" so it doesn't know anything is different.
And that is how to load any update you want. You sign it with your own key. You make the recovery.img /res/keys with the matching keys.
Now if you are a developer you could probably figure out how to do all of the above.
Otherwise there is a lot more to it than it seems.
Even if you were able to flash system images, would they still not have to be stock(ish)? Would you not still have to go through the whole rigamarole of obtaining combo bootloaders and disabling dm-verity? What about rebuilding a kernel that is kexec enabled and flashing over the recovery partition to chainload another kernel? Would the bootloader not check the signature since it's already been 'signed'?
BigCountry907 said:
My only question is has anyone ever been actually paid by Samsung for finding Exploits?
From what ive read on there site it says $200,000 K or more for a bootloader unlock.
Makes me wonder if I should be sharing this information with anyone.
But money aside...thats what samsung wants. There using greed against us. They don't want us to work together.
I will be getting into some very deep presentations of my work as time provides.
That way the community can learn and help on this exciting journey.
Damm I still can't believe it turned FRP off. :silly:
Just goes to show ya. Don't doubt it till you try it no matter how far out it may seem. :highfive:
Click to expand...
Click to collapse
i just got paid for a exploit i reported to samsung back in may lol.. it was rated a high vuln.. it was for msm8998 chipsets on 7.0 (only tested on vzw tab s3)
I was listed on sept. security bulletin even lol.. i got 2500$ (1950$ after korea n us taxes n fees n w.e else.)
The exploit (without going into details) allowed flashing a modified partition and executing scripts/commands in init context.. the patch basically said they blocked or removed all init scripts lol
i never reported SamPWND.. it wouldnt be elig anyways bcuz it uses leaked eng firmware with the exploits
if ur sdcard trick does disable frp you cant report it now since u already posted publicly lol
BigCountry907 said:
The thing that is significant thus far is the fact that booting with the sdcard IS SETTING frp LOCK TO OFF.
The normal Samsung Note 8 partition scheme uses Persist and Persistent partition for setting the FRP on or off.
If both persist and persistent are ZERO then FRP = off.
So the stock bootloader will read partitions that are (whitelisted) and verified to be Qualcomm Unique GUID Type.
Possibly even boot a bootloader that is not signed by Samsung but signed by Qualcomm.
If Qualcomm signed bootloaders will run then we can actually compile sign and boot our own bootloader.
Here is how.
https://www.96boards.org/documentation/consumer/dragonboard/dragonboard820c/guides/
Building the SD rescue image
The scripts to build the SD rescue image can be found here:
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader-dragonboard820c.yaml,
where we defined the script parameters and variables
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader/dragonboard820c/builders.sh:
where the actual commands are being executed.
Same Chip so we can use the source code.
Click to expand...
Click to collapse
isnt the note 8 msm8998? the dragonboard strings u posted are for the older msm8996 chipset as well as they are for lab purposes.. theres quite a few differences even without taking into consideration the chipsets are different...
one being samsung.. samsung takes qualcomms firmware/source and customizes the crap out of it.. disabling/removing fastboot, implementing the odin protocol etc etc
i dont think the sdcard approach is viable.. secure boot is enabled and the partitions u speak of flashed to an sdcard are not signed appropriately so the device wouldnot boot up if it was in fact trying to run off the sdcard..
even in edl, edl doesnt per say let the phone boot unsigned firmware.. its merely a flashing mechanism.. so it will allow you to flash just about anything if using signed programmers and everything else is proper but if that firmware is not signed the device will not boot due to secure boot..
the private key is burned into hardware at the factory..
with that being said, i would look at the non volatile partitions that arent required to be signed and see if theres anything there that we can modify to help in unlocking the bl.. partitions like param, or steady or misc etc etc that we could modify and flash in edl and still boot as its not checked for integrity if that makes sense lol
partitions like misc.. on combo you can do in shell "setprop sys.boot_mode ffbm" and itll write ffbm-01 to the misc partition then boot into a special diagnostic mode which you can even see it in the last kmsg/boot logs.. maybe theres a boot mode or somethin similar that turns boot from sdcard on?
dunno bout newer devices but s7 and s6 etc. the unlockable sd variants use crom.apk (their bls have a crom lock)... pushing req libs with root and running logcat while running crom it writes a "KIWIBIRD" flag to the steady partition then when device boots it reads it and bl is unlocked..
On newer locked sd devices theres an eng mode.. theres an eng cert that gets flashed in odin that i believe writes to stead or param, not sure lol but u get the point..
just trying to say theres other routes to look at that i think would be more viable.
i spent close to a year messin with edl on msm8998 (s8+ g955u), it is a viable way in if u can figure it out.. unsigned firmware like boot.img, recovery.img and the usual partitions never booted for me.. always secure check fail even when flashing with edl..
theres an old read but decent and somewhat related to sdcard.. samsung devices used to have an option in odin called t. flash that was supposed to flash the stuff in odin to an sdcard in the device.. i think he crafted a boot.img then tflashed stock or somethin like that lol.. it was yearsago so surely patched unless sammy goofed and quitely re-enabled it lol
to add after reviewing further, the dragonboard 820c is closest to snapdragon 820 which was in the S7 devices.. or similar to msm8996.. note 8 was msm8998 or closer to snapdragon 830? if that exists lol
Rip
dazemc said:
Even if you were able to flash system images, would they still not have to be stock(ish)? Would you not still have to go through the whole rigamarole of obtaining combo bootloaders and disabling dm-verity? What about rebuilding a kernel that is kexec enabled and flashing over the recovery partition to chainload another kernel? Would the bootloader not check the signature since it's already been 'signed'?
Click to expand...
Click to collapse
I'm not saying to do the recovery.img mod.
I'm saying use that as a template to be able to sign our own boot and recovery images.
First
Generating custom signing keys
The following openssl commands generate all the keys we need. Execute them line-by-line rather than copying the whole block, as you will be asked for input.
Code:
# private key
openssl genrsa -f4 -out verifiedboot.pem 2048
openssl pkcs8 -in verifiedboot.pem -topk8 -outform DER -out verifiedboot.pk8 -nocrypt
# public key
openssl req -new -x509 -sha256 -key verifiedboot.pem -out verifiedboot.x509.pem
openssl x509 -outform DER -in verifiedboot.x509.pem -out verifiedboot.x509.der
Second
Signing the boot image
Using the BootSignature.jar file sign the boot image using the keys generated above
If we look in that fota.zip
the path is /fota/OTA/tools
We have a boot_signer.sh and BootSignature.jar
Looking in the boot signer script we see.
#! /bin/sh
# Start-up script for BootSigner
BOOTSIGNER_HOME=`dirname "$0"`
BOOTSIGNER_HOME=`dirname "$BOOTSIGNER_HOME"`
java -Xmx512M -jar "$BOOTSIGNER_HOME"/framework/BootSignature.jar "[email protected]"
So to sign the boot image our command would be.
Code:
java -Xmx512M -jar BootSignature.jar /boot boot.img verifiedboot.pk8 verifiedboot.x509.der boot_signed.img
To check the signature
Code:
java -jar BootSignature.jar -verify boot_signed.img
Now if we had Samsungs .pk8 and samsungs .x509.der things would be easy.
The .x509.der we can get off the device its got to be in the ramdisk.
But the .pk8 is the private key and usually we can't get that.
The thing is maybe we can.
The variable "[email protected]" has to be these keys and if the boot.img is getting signed on the device after a patch or update then its hiding somwhere. If we can find that we can sign our own boot.img and the device will say there samsung official.
The other option is where I was talking about what I did to the recovery image.
Some Where there is the KEY used to verify to boot.img signature.
In the case of the recovery and flashing update zips it it the /res/keys found in the ramdisk.
The /res/keys is a dumped form of the keypair made by using dumpkey.jar also found in the /fota/OTA/tools.
By running dumpkey.jar against our custom signing keys we get the form of the key used in /res/keys.
If the boot.img signature scheme used the same method all we need to know is where the equivalent /res/keys is at and replace it with ours.
It could very well be in the ramdisk.
For me to make this work what i need to know is where is the KEY that is used to verify the boot.img signature.
Or if we can get the "[email protected]" variable output in the boot_signer script then we will have both keys.
I highly doubt but it could be possible there hard coded in the BootSignature.jar thats in the fota folder.
It would be helpful if I had a copy of any OTA Update that someone pulled off a device before they installed the update. Preferably a full update from one android version to the next like going from N to O
MY Questions are.
Anyone out there have a copy of a OTA Update?
Anyone know the location of the KEY used to verify the Boot signature?
Has anyone installed an update and seen the update package unpack / repack and sign the boot.img or any log refering to the verification of the boot signature.
If the update unpacked the boot then it had to sign it.
Hopefully you understand now what direction I am headed in with Auto-Key script.
All the code to manipulate the keys I have written in the akey.sh already.
If we can sign our own boot and recovery we don't need to unlock the bootloader.
My final question is
Is the Kernel signed also? Or since the DM-Verity days are they only relying on the boot.img signature.
elliwigy said:
i just got paid for a exploit i reported to samsung back in may lol.. it was rated a high vuln.. it was for msm8998 chipsets on 7.0 (only tested on vzw tab s3)
I was listed on sept. security bulletin even lol.. i got 2500$ (1950$ after korea n us taxes n fees n w.e else.)
The exploit (without going into details) allowed flashing a modified partition and executing scripts/commands in init context.. the patch basically said they blocked or removed all init scripts lol
i never reported SamPWND.. it wouldnt be elig anyways bcuz it uses leaked eng firmware with the exploits
if ur sdcard trick does disable frp you cant report it now since u already posted publicly lol
Click to expand...
Click to collapse
I wasn't thinking of reporting the FRP trick.
There are a ton of ways to accomplish the same thing.
If you
Code:
dd if=/dev/zero /dev/block/sda5
and
Code:
dd if=/dev/zero /dev/block/sda12
Well FRP lock = off.
I just hate the Idea of someone using my work to profit from samsung.
I love for people to use my work and to contribute to it to help everyone.
So screw the money I just want to help.
Cool to know that you did get paid though.
elliwigy said:
isnt the note 8 msm8998? the dragonboard strings u posted are for the older msm8996 chipset as well as they are for lab purposes.. theres quite a few differences even without taking into consideration the chipsets are different...
Click to expand...
Click to collapse
This is the main reason I like the Samsung EDL Bootloaders.
one being samsung.. samsung takes qualcomms firmware/source and customizes the crap out of it.. disabling/removing fastboot, implementing the odin protocol etc etc
Click to expand...
Click to collapse
The EDL package is QUALCOMM. It lacks the Samsung Customization.
If it is possible to take those bootloaders that are signed and build the rest of the android system its hard to tell what we could end up with. Maybe the bootloaders in the EDL have the ability to be unlocked by the normal Qualcomm method that utilizez the DEVINFO partition that is present on our devices.
Have you looked at that yet?
Code:
greatqlte:/ # hexdump -C -v /sdcard/devinfo.img
00000000 41 4e 44 52 4f 49 44 2d 42 4f 4f 54 21 01 01 00 |ANDROID-BOOT!...|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Looks Pretty Familiar.
Bootloader Unlocking
For some devices, such as several Xiaomi ones, partition flashing is sufficient for being able to unlock the Android Bootloader (which disables the verification of the rest of the chain):
[Primary Bootloader (PBL)]
|
`---NORMAL BOOT---.
[Secondary Bootloader (SBL)]
|-.
| [Applications Bootloader (ABOOT)]
| `-.
| [boot.img]
| |-- Linux Kernel
| `-- initramfs
| `-.
| [system.img]
|
`-[TrustZone]
The bootloader locking bit of such devices is held in the devinfo partition, parsed by the Android Bootloader.
Attackers can simply flip the lock bit, to load an arbitrary boot image. This will not cause any factory reset.
Reading devinfo using our framework prior to the attack yields the following output:
> hexdump devinfo.bin
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00 ANDROID-BOOT!...
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Setting 1 at offsets 0x10, 0x18, and flashing the modified devinfo will unlock the bootloader:
No im not saying that Ive tested this yet. But it is a possibility.
My guess is that the EDL bootloaders that Lack Samsung Customization including KNOX might and I say again Might read the devinfo partition.
It is there for some reason. So the Question is Why??? What does it do.
That is the reason for my interest in the EDL Firmware.
Code:
i dont think the sdcard approach is viable.. secure boot is enabled and the partitions u speak of flashed to an sdcard are not signed appropriately so the device wouldnot boot up if it was in fact trying to run off the sdcard.
Again this is misinterpretation.
I'm not saying we are going to run the dragonboard firmware on our devices.
If you know the dragonboard tools some of them are very useful.
It is proven already the sd card can indeed influence the devices operation.
Basically I am utilizing some dragonboard tools to replicate what odin does to the sdcard when you use T-FLASH.
The sd card is very viable and a great means of testing. BUT also a lot of work.
Dragonboard 820 is as close to the actual source code we are going to get right now.
If you dig down in the bootloaders you will find many reference to msm8996 source code.
The msm8996 and msm8998 share a lot.
And Little Kernel is Little Kernel.
Liarno has good source trees that are for building LK with different functions.
If we can unlock the bootloader and run our own LK thats sure where id start.
Also for understanding how LK works and the different functions what better of a source than a very well documented one.
I actually have quite a bit of Leaked Qualcomm Source Code. Its a bit older but still very viable.
More than enough to understand how the security mechanisms work if you really dig into it.
partitions like misc.. on combo you can do in shell "setprop sys.boot_mode ffbm" and itll write ffbm-01 to the misc partition then boot into a special diagnostic mode which you can even see it in the last kmsg/boot logs.. maybe theres a boot mode or somethin similar that turns boot from sdcard on?
Click to expand...
Click to collapse
Thank You very much for pointing this out.
There are uses for that for sure.
The sd card working or not working to accomplish anything all depends on how the samsung and the EDL bootloaders are written.
THEY DO SUPPORT THE SD.
I'm just looking for that one quirk that gets us a way in.
Its like looking for a needle in a haystack.
Its never expected to be there and found entirely by mistake. After you step on it.
If you don't play in the haystack you will never step on the needle.
Thank you again for your insight. If you have any other knowledge of things like that it all helps.
Maybe that is a way to trigger the SD.
The process of debating always leads to something.
Like setprop sys.boot_mode ffbm.
If everyone shares there finds eventually putting them all together gets something accomplished.
pbedard said:
Rip
Click to expand...
Click to collapse
RIP what?
This party is just getting started.
Pay attention.....you might be surprised how much you can learn.

Question couldn't host Android Automotive OS 11 in Raspberry Pi 4 Model B

Hi, I downloaded the img file from the provided link(https://images.snappautomotive.com/rpi/snapp_automotive_rpi4_32gb_20211119.img.zip), but after successfully flashing the image file to an SD card, the raspberry pi4 model b didn't boot up. It shows (attached are the images of shown error) :
Raspberry Pi 4 Model B - 8GB bootloader: 6efe41bd 2022/01/25
board: 003115 6485fcf2 e4:5f:01:ad:58:05 boot: mode SD 1 order f41 retry 0/1 restart 18/-1
SD: card detected 00035344534431323885fa236632a165 part: mbr [0x0c:00000800 0x83:00040800 0x83:00440800 0x83:00480800]
fw: start4.elf fixup4.dat
net: down ip: 0.0.0.0 sn: 0.0.0.0 gw: 0.0.0.0
tftp: 0.0.0.0 00:00:00:00:00:00
Trying partition: 6
type: 16 lba: 2048 oem: 'mkfs. fat' volume:
rsc 4 fat-sectors 256 c-count 65399 c-size 4
root dir cluster 1 sectors 32 entries 512 Read config.txt bytes 206 hnd 0x00000000
Read start4.elf bytes 2214880 hnd 0x00000000 Read fixup4.dat bytes 5433 hnd 0x00000000
Firmware: 4b4aff21f72c5b9ba39d83c7b0f8fa910a6ef99b Dec 15 2020 14:48:29
0x00d03115 0x00000000 0x0000003f
start4.elf: is not compatible This board requires newer software
Get the latest software from https://www.raspberrypi.com/software/
Help me solve the issue. What should I follow?
just add the polestar and volvo images for emulator in android auto

Categories

Resources