ok, Been struggeling for 2 days getting my new Imate back to life after it started showing the "Serial" death screen trying to upgrade it to O2 new rom.
I tried everything using the USB cradle and also using the SD way and my other good Imate...... As soon as I insert the SD in the dead Imate after packing it with the ROM from the good one it tells me "section=1 not allowed!" were as it is mentioned here in the forum it shold tell me "press power to upgrade".
I noticed that this new one has a bootloader ver 1.06 which is not refered to anywhere in this forum.
Any ideas?
sd cards usually only work for the same bootloader.
the trick is to put a 1.06 header on your sd card.
what you can do is this:
- first using your 1.06 bootloader create an sdcard with your bootloader,
by connecting your xda to a terminal program ( either via USB, or seiral )
then type 'd2s 80000000 40000'
this will write your bootloader to SD.
- then make a raw image copy of this sd card, using psdread
* insert the sdcard in a working xda2, put it in it's cradle, and type:
psdread -3 0 0x40400 bl106.img
- then create an sd image of the correct rom, in your working xda2.
from this image, replace the header part of the first sector of the
sdcard with the header from the bl106.img.
the header is the first 0x180 bytes.
psdread -3 0 0x200 os-header.img
* use hexeditor to replace the first 0x180 bytes of this file.
and write it back:
psdwrite -3 os-header.img.
then your sd card should work with the new bootloader.
btw, I am very interested in a copy of this bootloader. can you send me the bl106.img file?
Thank You
itsyou,
I Thank you tons for replying back... will give it a shot and will let you know the outcome.
As for the Bootloader Copy, I only have 2 SDs 512 & 256. I have no problems with bandwidth let me know where to dump it for you and I will do it promptly.
:wink:
now that I looked again at ur expalnation I find it very difficult for me to do.
Wouldnt it be easier to just flash my good XDA with the new bootloader then do a full sd image from that one and run it into the bad one? if this would work then fine if not pls find below some questions:
- first using your 1.06 bootloader create an sdcard with your bootloader,
by connecting your XDA to a terminal program ( either via USB, or seiral )
then type 'd2s 80000000 40000'
this will write your bootloader to SD.
DONE
- then make a raw image copy of this sd card
How
using psdread
* insert the sdcard in a working xda2, put it in it's cradle, and type:
psdread -3 0 0x40400 bl106.img
where to type that? in cmd prompt? if so; I did that, windows gave me an error related to a 16bit application encountered error (am using XP)? while Active sync is on? in mtty? Is this the SD card the one i did above or a formated one
- then create an sd image of the correct rom, in your working xda2.
from this image, replace the header part of the first sector of the
sdcard with the header from the bl106.img.
the header is the first 0x180 bytes.
psdread -3 0 0x200 os-header.img
Not clear
* use hexeditor to replace the first 0x180 bytes of this file.
and write it back:
psdwrite -3 os-header.img.
psdwrite ... is that a hex editor I can find somewhere
where to type that? in cmd prompt? if so; I did that, windows gave me an error related to a 16bit application encountered error (am using XP)? while Active sync is on? in mtty? Is this the SD card the one i did above or a formated one
psdread is a desk top windows command line tool, found in this archive.
you already know how to make an sdcard with os image. - type 'd2s' to your bootloader.
from this sd card you copy only the first sector with
Code:
psdread -3 0 0x200 sd-sector.img
then replace the header in this file.
this is an example of what the first 512 bytes look like:
first the part that needs to be replaced:
Code:
0000000: 4849 4d41 4c41 5941 5320 2020 2020 2020 HIMALAYAS
0000010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0000020: f622 919d e18b 1fda b0ca 9902 b972 9d49 ."...........r.I
0000030: 2c80 7ec5 99d5 e980 b2ea c9cc 53bf 67d6 ,.~.........S.g.
0000040: bf14 d67e 2ddc 8e66 83ef 5749 61ff 698f ...~-..f..WIa.i.
0000050: 61cd d11e 9d9c 1672 72e6 1df0 844f 4a77 a......rr....OJw
0000060: 02d7 e839 2c53 cbc9 121e 3374 9e0c f4d5 ...9,S....3t....
0000070: d49f d4a4 597e 35cf 3222 f4cc cfd3 902d ....Y~5.2".....-
0000080: 5341 3030 e1dc d6ae 8390 49f1 f1ff e9eb SA00......I.....
0000090: b3a6 db1e 870c 3edd 24eb 0d1c 06b7 47de ......>.$.....G.
00000a0: 8412 4dc8 43c3 cba6 1f03 5a7d 0938 251f ..M.C.....Z}.8%.
00000b0: 5d9f d4fc 96f5 453b 130d 890a 1cd3 902d ].....E;.......-
00000c0: 489a 50ee 4078 36fd 1249 32f6 9e81 49dc [email protected]
00000d0: ad4f 14f2 4440 66d0 6bc4 30b7 bec6 ff42 [email protected]
00000e0: 5455 9a6a 2215 d1e1 9038 3238 d93f 7c66 TU.j"....828.?|f
00000f0: 5e03 d8c0 9c91 d971 9f69 a5e2 0c99 9247 ^......q.i.....G
0000100: fa16 bb11 adae 2488 79fe 52db 2543 e53c ......$.y.R.%C.<
0000110: 1870 92da 6454 ceb1 853e 6915 f846 6a04 .p..dT...>i..Fj.
0000120: 9673 0ed9 162f 6768 d4f7 4a4a d057 6876 .s.../gh..JJ.Whv
0000130: fa16 bb11 adae 2488 79fe 52db 2543 e53c ......$.y.R.%C.<
0000140: f445 d3d8 28ce 0bf5 c560 593d 9727 8a59 .E..(....`Y=.'.Y
0000150: 762d d0c2 c9cd 68d4 496a 7925 0861 4014 v-....h.Ijy%[email protected]
0000160: b13b 6aa5 1128 c18c d6a9 0b87 978c 2ff1 .;j..(......../.
0000170: 151d 9a95 c19b e1c0 7ee9 a89a a786 c2b5 ........~.......
this part you need to keep.
Code:
0000180: 4854 4353 3830 3034 3030 3030 3031 4538 HTCS8004000001E8
0000190: 3030 3030 4238 3042 4546 4246 fe03 00ea 0000B80BEFBF....
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001d0: 0000 0000 0000 0000 0000 0000 4543 4543 ............ECEC
00001e0: 04c9 0d80 0000 0000 0000 0000 0000 0000 ................
00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
use any hexeditor you like.
most will allow you to cut/past from one file to the other.
make very sure that at offset 0000180 it says something that starts with 'HTCS80040000'
otherwise you may accidentally overwrite your bootloader, and permanently damage your device.
after you have modified the sd-sector.img file, write it back to the sdcard
containing your os image with
Code:
psdwrite -3 sd-sector.img
.
both psdread and psdwrite can be found in the itsutils.zip archive, and are descibed here and here
itsme,
followed ur kind instructions to the letter and all went smooth with no errors what so ever till I started to write back the image to the bad XDA and it gave me the freaken same error (find below)
SD Download
===========
Section=1
Not allow
update!
I started loosing hope in this thing.
I am attaching here the bl106.img file as per ur request hope it helps you and anyone else in the future (is that what u want, if not let me know what exactly u need before i send this bad one to the shop for fixing)
Best regards.
Note: i noticed in the step where am supposed to replace the first 0x180 bytes that both headers form both images ar the same...I think...maybe am wrong thus i still replaced them as per ur instructions.
(my good xda has ver. 1.02 bootloader)
this is a bootloader v1.02 you uploaded here.
I assure you that this file was dumped from an xda2 which says ver. 1.06.
Although I already sent the Device for fixing I still have a whole flash dump to the deffective device on my HD. gemme an address where I can upload it to and I will do promptly.
Thanks again for all the help you gave me.
ftp.xda-developers.com
user xda
pass xda
file (raw image) of defective device being uploaded :wink:
Am supposed to get a replacement for this device in a week time. will post u a note case it has a 1.06 ver again.
just out of curiosity
who in Egypt jandles service of the XDA II ??
just in case!!
No one :?
I have been relaying on Dubai for that matter.
I did find the 1.06 bootloader in the 1.66.167 upgrade.
OH MAN! are you telling, had I waited one more day b4 sending it to Dubai I could have used this upgrade to do the trick?
How about in the one I uploaded, which version was embeded in the raw image?
still only the 1.02 version.
I don't think the 1.06 bootloader would have helped.
itsme,
Looking at the bright side of things, I now should not regret sending the busted xdaII back for exchange then.
Thank you very much for all the help you gave me. it only shows what a gr8 community this is.
PowerLOC Destinator problem with XDA II new ROM:
Hi,
Destinator problem with XDA II ROM:
ROM-1604eng
ROM-16036wwe
ROM-v16050
ROM -16021wwe
ROM-16052ger
All these ROM versions has the same problem, The PowerLOC Destinator can not find com 5, if I use the Pocket Blue Tools patch the freeze in com 7.
The only way I find to use the PowerLOC Destinator in the XDA II is with the Rom version 1.03.00 wwe_o2 asia together with the Pocket Blue Tools.
Somebody suceed using the PowerLOC Destinator with new Rom?
Best,
Dias
My Destinator works fine with bluetooth patch and 1.66.00WWE ROM. Don't know what your problem could be, other than not doing things in the finicky order the XDA II requires with BLuetooth.
I saw this note in Default_Driver.CAB of the 1.66.131 extrom.
; Change DUN port from COM5 to BSP4.
[HKEY_LOCAL_MACHINE\ExtModems\bluetooth_dun]
"port"="BSP4:"
maybe it is related?
Just to share a successful restoration of a damaged /efs partition on a i9300 without any backup. Maybe this will help someone save their phone or avoid having to send it in for repair. This appears to be the usual advice when the efs partition is damaged and you don't have a backup. You're fsck'ed. However, you might get lucky, like I did. Read on.
The story: I was running the phone with a custom built cm-10.1 and playing Candy Crush when the battery died. After that the phone wouldn't boot. After booting into recovery it appeared /efs wouldn't mount. That puts the phone in a boot loop. Desperation...
The key to the provided solution is that eventhough your parition is damaged, the relevant data (nv_data.bin) may still exist.
Here's what I did. Not all steps may be necessary, but this is what happened to work for me. The steps I think are crucial are highlighted.
!!!AS USUAL, TRY ANY OF THIS AT YOUR OWN RISK!!! In any case, only do this when your efs partition is damaged and won't mount, not when only files in it are missing or something else.
1. Create an image of /dev/block/mmcblk0p3. mmcblk0p3 is the device file for the partition that is mounted as /efs
I did this by logging into the phone while it is in recovery with adb:
Code:
linux# adb root
linux# adb shell
phone# dd if=/dev/block/mmcblk0p3 of=/data/efs.img
phone# exit
linux# adb pull /data/efs.img .
You now have an image of the efs partition. To verify that it is indeed broken, I did a filecheck on the image:
Code:
linux# losetup /dev/loop0 efs.img
linux# fsck /dev/loop0
That gave an "Invalid Superblock" message. The partition is indeed b0rked. No (obvious) way to rescue the filesystem.
2. I still didn't know what to do so I flashed a stock ROM (G4) using Odin. Still boot looping. Since I wasn't sure the partition table wasn't damaged and the efs partition was lost anyway, I decided to check "Repartition", which is generally discouraged, using a pit file downloaded from the forum.
3. I re-rooted using CF-Root. This time using Heimdal from linux. Stock didn't fix things and you need root to access the partitions.
4. Format the efs! It's unusable and I made a backup, so in recovery:
Code:
linux# adb root
linux# adb shell
phone# mke2fs /dev/block/mmcblk0p3
Reboot the phone and voila! A booting phone, but obviously without serial number and a default IMEI. And some screen came up which I think means I was in factory mode. The data in the /efs partition has been rebuilt with a set of default files.
5. I edited some files in /efs/FactoryApp
Code:
linux# adb root
linux# adb shell
phone# cd /efs/FactoryApp
phone# echo -n ON > factorymode
phone# echo -n ON > keystr
phone# echo -n <xxxxxxx> > serial_no
Where <xxxxxxx> is your serial number, found under the battery. Not sure if this did anything useful, but the serial number no longer indicated 0000000 after that.
6. I flashed cm-10.1 again from recovery, because I was experimenting with EFSPro, which requires busybox on the phone. EFSPro doesn't do much for you in this case. So I don't think this is important.
7. Try to recreate an nv_data.bin from the damaged partition! In order to do this I pulled the rebuilt default nv_data.bin from the phone and compared it to efs.img created in step 1.
Code:
linux# adb root
linux# adb pull /efs/nv_data.bin .
linux# xxd nv_data.bin > nv_data.hex
linux# xxd efs.img > efs.hex
Now inspecting the nv_data.hex, it started out like:
Code:
0000000: cccc cccc cccc cccc cccc cccc cccc cccc ................
0000010: cccc cccc cccc cccc cccc cccc cccc cccc ................
0000020: 4d21 5317 00a0 a2f7 1435 5799 529d 129b M!S......5W.R...
0000030: 48bd ca0e 6249 1367 37a5 96c3 39da 19ea H...bI.g7...9...
0000040: 0000 0000 e000 0000 0200 7400 6c00 0000 ..........t.l...
0000050: 0000 0000 0000 8130 0100 0000 0000 0000 .......0........
0000060: ffff ffff ffff ffff ffff ffff ffff ffff ................
0000070: ffff ffff 0200 0000 333a 3476 2020 2020 ........3:4v
0000080: 5350 3632 3630 5f4d 305f 4d4f 4445 4d5f SP6260_M0_MODEM_
0000090: 3033 2e31 3332 375f 4442 3133 3037 3032 03.1327_DB130702
00000a0: 2032 3031 332d 4a75 6c2d 3136 2032 303a 2013-Jul-16 20:
00000b0: 3035 3a33 3020 0a20 2020 2050 4442 5f4e 05:30 . PDB_N
00000c0: 4f54 5f41 5641 494c 4142 4c45 200a 0000 OT_AVAILABLE ...
I then searched for "MODEM" in efs.hex and found several similar entries. So for the next step, you might have to try a few times. I found one at address 0600000:
Code:
0600080: 5350 3632 3630 5f4d 305f 4d4f 4445 4d5f SP6260_M0_MODEM_
0600090: 3033 2e31 3234 315f 4442 3132 3130 3038 03.1241_DB121008
06000a0: 2032 3031 322d 4e6f 762d 3136 2031 343a 2012-Nov-16 14:
06000b0: 3030 3a34 3920 0a20 2020 2050 4442 5f4e 00:49 . PDB_N
06000c0: 4f54 5f41 5641 494c 4142 4c45 200a 0000 OT_AVAILABLE ...
I then extracted a block of data with the size of nv_data.bin from efs.img starting at this address:
Code:
linux# dd if=efs.img of=new_nv_data.bin skip=12288 count=4096
"skip" indicates the offset (0x0600000) and "count" the filesize (0x0200000). I now had a recreated old nv_data.bin.
8. Put the recreated nv_data.bin on the phone and delete backups.
Code:
linux# adb root
linux# adb shell
phone# cd /efs
phone# rm nv_data.bin
phone# rm .nv_data.bak
phone# rm .nv_core.bak
phone# adb push new_nv_data.bin /efs/nv_data.bin
I rebooted the phone and miracle oh miracle. I had my original IMEI back! Not sure if the phone is in optimal condition, but I can make calls and I have mobile data.
Hope any of this may be of any help to anyone. It took me quite a while to figure things out !!
If this works, you have made an excellent work and i think this has to be stickied :sly:
Inviato dal mio GT-I9300 utilizzando Tapatalk
Well done fella, good work!
Sent from my GT-I9300 using xda premium
Hi SlashV,
Very interesting approach of one of the most frequent issues for I9300!
My case is as follows: I have recovered IMEI with more common methods: kTool,and..
- in 4.3 ROM's my IMEI and serial are ok ... and I have network ,but
- in CM11 or OMNI 4.4 my IMEI is correct but the serial number is wrong !
(and therefore I have no network)
Could you suggest, please, a way to read and/or repair the Serial number in CM11 ?!
( using Terminal Emulator would be also possible?)
Thanks in advance!
serial number in cm
stefan.slavici said:
Hi SlashV,
Very interesting approach of one of the most frequent issues for I9300!
Click to expand...
Click to collapse
Thanks.
stefan.slavici said:
My case is as follows: I have recovered IMEI with more common methods: kTool,and..
- in 4.3 ROM's my IMEI and serial are ok ... and I have network ,but
- in CM11 or OMNI 4.4 my IMEI is correct but the serial number is wrong !
(and therefore I have no network)
Could you suggest, please, a way to read and/or repair the Serial number in CM11 ?!
( using Terminal Emulator would be also possible?)
Thanks in advance!
Click to expand...
Click to collapse
I think my serial number got restored by step 5 of what I did even before I restored my original nv_data.bin, so you might try that. It's easy from the terminal and I'm fairly sure it won't hurt. Make a backup of you efs first!
However, I am somewhat surprised by your issue. How can the serial number change? I did notice CM shows a different serial for me than is on the sticker, so maybe I have the same issue, or CM just shows a different representation of the same number. Anyway, I have no network issues because of it. Maybe your network issues have to do with something else than the serial no?
SlashV said:
Thanks.
I think my serial number got restored by step 5 of what I did even before I restored my original nv_data.bin, so you might try that. It's easy from the terminal and I'm fairly sure it won't hurt. Make a backup of you efs first!
However, I am somewhat surprised by your issue. How can the serial number change? I did notice CM shows a different serial for me than is on the sticker, so maybe I have the same issue, or CM just shows a different representation of the same number. Anyway, I have no network issues because of it. Maybe your network issues have to do with something else than the serial no?
Click to expand...
Click to collapse
no! the serial number changed when i flashed CM11 but no network problem. and then it is back to the previous serial number when i flashed s4 evolution rom!
OMG
You are a genius
This Thread should be moved to General
Glad that the op got his imei & serial back, also that he's posted such detailed instructions (although I think a couple of them won't be necessary for most). For the majority of those who arrive at xda, after breaking their phone by flashing random things they didn't understand it will read like diy brain surgery.
Best option, as always, is to backup the efs -unfortunately it's usually far too late by the time they get to xda.
Sent from my GT-I9300 using Tapatalk
I also had a similar problem. I had IMEI but not valid serial (000000). I solved temporaly using Ariza Patch. But if I can restore the serial using your method.... then I MUST BUY YOU A BEER MY FRIEND!
Some news. In my case I have a correct IMEI but a wrong serial (000000). Resulting in a no network conenctivity.
I've tried modifing the efs.img directly by hand and adding the serial to the serial_no file (it's in plain text). Then I restored using ktool. And nothing. It still says 0000000.
So. Then I tried over adb as you did. echo -n <serial> > serial_no. The operation went succesfully but when I rebooted my phone it still shows 000000.
So I'm guessing (as excepted) these things have protection against tampered serials/imei. Maybe a hash somewhere... But I'm not willing to reverse engineer that (I don't even have the knowledge!).
So....I don't know how you did it. But that step alone doesn't restore the serial number.
---------- Post added at 02:45 PM ---------- Previous post was at 01:56 PM ----------
So I decided to took my investigation a little further.
I had an efs back up so I reproduced all your steps but only on linux.
The offsets of my nv_data.bin are the same as yours. I extracted my new_nv_data.bin from my efs.img (using dd). Then I compared the nv_data.bin extracted mounting the efs.img. They are the same. Not a single bit difference.
I guess it was expected. I just wanted to make sure there wasn't anything wrong with my efs backup.
So. This method really works if you lost you efs partition (corrupted). But In my case (efs not corrupted, IMEI ok, serial 0000), it didn't help.
I bet there's a solution floating around. But there's also a business behind this (all those boxes). So, I don't know if I will be ever be available to fix this by myself.
I'm starting to think that maybe the trick is to format efs (having a backup of course). But I don't know. I'm not that brave haha.
Changing the serial_no file does nothing. That doesn't work for sure. I've tried one more time using root browser and it didn't change from 00000.
Everything is inside nv_data.bin I think. Even the serial. But I guess nobody will tell me here how to correct that so I have network connectivity again without patching.
Anyway, I don't know why so secretive about all this info. I mean, all the boxes out there let you change you IMEI. I bet all the burglers out there already know how to do it. The only ones that still don't know how to do it are the honest people haha. Kind of ironic.
Because it's illegal and gets you five years. Follow the guides on how to restore your efs backup. Discussing imei changing will get the thread locked.
If you don't have backup then pay for a repair.
Sent from my GT-I9300 using Tapatalk
boomboomer said:
Because it's illegal and gets you five years. Follow the guides on how to restore your efs backup. Discussing imei changing will get the thread locked.
If you don't have backup then pay for a repair.
Sent from my GT-I9300 using Tapatalk
Click to expand...
Click to collapse
In my case my phone came like this. I can't return it because I bought it abroad.
I have a backup of my efs. I did restored it. But serial is still 0000. IMEI is FINE. I don't want to change IMEI. Just fix my EFS to have a proper serial. Only way of having connectivity back is ariza patch. But I would love to return my phone to factory state. That is not illegal.
Always wonder how the repair shops are able to restore. Still OP post is informational.
hyperorb said:
Always wonder how the repair shops are able to restore. Still OP post is informational.
Click to expand...
Click to collapse
Yes. Maybe formatting the EFS is the key. Because the phone will regerate a dummy one without errors. And then restore the files individually insted of the whole partition.
But... that's is just a guess. And I'm not willing to try it either. I will start worrying when Samsung releases a decent 4.3 version of the stock firmware. Until then I will stay on 4.1.2 with Ariza Patch.
Boxes
hyperorb said:
Always wonder how the repair shops are able to restore. Still OP post is informational.
Click to expand...
Click to collapse
I think they use tools like the SmartSamBox. I contacted the manufacturer and they claim that you can restore imei and serial with it. A box like that isn't even that expensive. I considered buying one before I tried my final "I must get lucky" shot described in this thread.
lost serial
Gonzakpo said:
I'm starting to think that maybe the trick is to format efs (having a backup of course). But I don't know. I'm not that brave haha.
Click to expand...
Click to collapse
If you dumped an image of it, it can't really hurt you imho.
Gonzakpo said:
Changing the serial_no file does nothing. That doesn't work for sure. I've tried one more time using root browser and it didn't change from 00000.
Everything is inside nv_data.bin I think. Even the serial. But I guess nobody will tell me here how to correct that so I have network connectivity again without patching.
Click to expand...
Click to collapse
Yeah, everything is in nv_data.bin. It's a pity I am not a 100% sure, but I really think I got the serial back though before restoring my original nv_data.bin. Changing the serial_no file now, doesn't do anything, like you say, but I added it to an /efs that was created from scratch after a format. Like you, I am a bit reluctant to try and reformat it again, just to see if that would work, but maybe I will. It won't help you though, because starting out with an /efs from scratch is not an option for you. You won't have an imei in that case.
Gonzakpo said:
Anyway, I don't know why so secretive about all this info. I mean, all the boxes out there let you change you IMEI. I bet all the burglers out there already know how to do it. The only ones that still don't know how to do it are the honest people haha. Kind of ironic.
Click to expand...
Click to collapse
Welcome to the World my Friend
Formatting /efs in fact results in automatic regeneration of file structure, just with a null (but still valid) data. By replacing important files with a working backup you can actually revive your phone, as long as you have valid core files.
Anyway, hats off for the solution. May help someone .
You could also try to mke2fs -n /dev/loop0 (with mounted efs.img), and then read superblocks and restore them with e2fsck -b block_number /dev/loop0.
Wow. Thank you for the answers. For a moment I though I was talking alone hahaha
Well. I made the jump and formatted the efs to see what happens. I was on stock 4.1.2 (the old EFS one == I9300XXELLC_I9300XEFELL1_I9300XXELKB)
Surprisingly, after a reboot the EFS wasn't restored for a dummy one. It was empty. I even tried a wipe from the recovery and it didn't work either.
Then I freaked out (haha) and restored my EFS backup and everything was back to normal.
Conclusion. 4.1.2 is no good for this method? Maybe I should try with stock 4.0.4?
SlashV, what firmware do you refere when you say "G4". Latest Android 4.1.2 (mg4 modem)?
I hope I can reproduce your method. So we can at least help the community with a more tested solution.
SlashV said:
Just to share a successful restoration of a damaged /efs partition on a i9300 without any backup. Maybe this will help someone save their phone or avoid having to send it in for repair. This appears to be the usual advice when the efs partition is damaged and you don't have a backup. You're fsck'ed. However, you might get lucky, like I did. Read on.
The story: I was running the phone with a custom built cm-10.1 and playing Candy Crush when the battery died. After that the phone wouldn't boot. After booting into recovery it appeared /efs wouldn't mount. That puts the phone in a boot loop. Desperation...
The key to the provided solution is that eventhough your parition is damaged, the relevant data (nv_data.bin) may still exist.
Here's what I did. Not all steps may be necessary, but this is what happened to work for me. The steps I think are crucial are highlighted.
!!!AS USUAL, TRY ANY OF THIS AT YOUR OWN RISK!!! In any case, only do this when your efs partition is damaged and won't mount, not when only files in it are missing or something else.
1. Create an image of /dev/block/mmcblk0p3. mmcblk0p3 is the device file for the partition that is mounted as /efs
I did this by logging into the phone while it is in recovery with adb:
Code:
linux# adb root
linux# adb shell
phone# dd if=/dev/block/mmcblk0p3 of=/data/efs.img
phone# exit
linux# adb pull /data/efs.img .
You now have an image of the efs partition. To verify that it is indeed broken, I did a filecheck on the image:
Code:
linux# losetup /dev/loop0 efs.img
linux# fsck /dev/loop0
That gave an "Invalid Superblock" message. The partition is indeed b0rked. No (obvious) way to rescue the filesystem.
2. I still didn't know what to do so I flashed a stock ROM (G4) using Odin. Still boot looping. Since I wasn't sure the partition table wasn't damaged and the efs partition was lost anyway, I decided to check "Repartition", which is generally discouraged, using a pit file downloaded from the forum.
3. I re-rooted using CF-Root. This time using Heimdal from linux. Stock didn't fix things and you need root to access the partitions.
4. Format the efs! It's unusable and I made a backup, so in recovery:
Code:
linux# adb root
linux# adb shell
phone# mke2fs /dev/block/mmcblk0p3
Reboot the phone and voila! A booting phone, but obviously without serial number and a default IMEI. And some screen came up which I think means I was in factory mode. The data in the /efs partition has been rebuilt with a set of default files.
5. I edited some files in /efs/FactoryApp
Code:
linux# adb root
linux# adb shell
phone# cd /efs/FactoryApp
phone# echo -n ON > factorymode
phone# echo -n ON > keystr
phone# echo -n <xxxxxxx> > serial_no
Where <xxxxxxx> is your serial number, found under the battery. Not sure if this did anything useful, but the serial number no longer indicated 0000000 after that.
6. I flashed cm-10.1 again from recovery, because I was experimenting with EFSPro, which requires busybox on the phone. EFSPro doesn't do much for you in this case. So I don't think this is important.
7. Try to recreate an nv_data.bin from the damaged partition! In order to do this I pulled the rebuilt default nv_data.bin from the phone and compared it to efs.img created in step 1.
Code:
linux# adb root
linux# adb pull /efs/nv_data.bin .
linux# xxd nv_data.bin > nv_data.hex
linux# xxd efs.img > efs.hex
Now inspecting the nv_data.hex, it started out like:
Code:
0000000: cccc cccc cccc cccc cccc cccc cccc cccc ................
0000010: cccc cccc cccc cccc cccc cccc cccc cccc ................
0000020: 4d21 5317 00a0 a2f7 1435 5799 529d 129b M!S......5W.R...
0000030: 48bd ca0e 6249 1367 37a5 96c3 39da 19ea H...bI.g7...9...
0000040: 0000 0000 e000 0000 0200 7400 6c00 0000 ..........t.l...
0000050: 0000 0000 0000 8130 0100 0000 0000 0000 .......0........
0000060: ffff ffff ffff ffff ffff ffff ffff ffff ................
0000070: ffff ffff 0200 0000 333a 3476 2020 2020 ........3:4v
0000080: 5350 3632 3630 5f4d 305f 4d4f 4445 4d5f SP6260_M0_MODEM_
0000090: 3033 2e31 3332 375f 4442 3133 3037 3032 03.1327_DB130702
00000a0: 2032 3031 332d 4a75 6c2d 3136 2032 303a 2013-Jul-16 20:
00000b0: 3035 3a33 3020 0a20 2020 2050 4442 5f4e 05:30 . PDB_N
00000c0: 4f54 5f41 5641 494c 4142 4c45 200a 0000 OT_AVAILABLE ...
I then searched for "MODEM" in efs.hex and found several similar entries. So for the next step, you might have to try a few times. I found one at address 0600000:
Code:
0600080: 5350 3632 3630 5f4d 305f 4d4f 4445 4d5f SP6260_M0_MODEM_
0600090: 3033 2e31 3234 315f 4442 3132 3130 3038 03.1241_DB121008
06000a0: 2032 3031 322d 4e6f 762d 3136 2031 343a 2012-Nov-16 14:
06000b0: 3030 3a34 3920 0a20 2020 2050 4442 5f4e 00:49 . PDB_N
06000c0: 4f54 5f41 5641 494c 4142 4c45 200a 0000 OT_AVAILABLE ...
I then extracted a block of data with the size of nv_data.bin from efs.img starting at this address:
Code:
linux# dd if=efs.img of=new_nv_data.bin skip=12288 count=4096
"skip" indicates the offset (0x0600000) and "count" the filesize (0x0200000). I now had a recreated old nv_data.bin.
8. Put the recreated nv_data.bin on the phone and delete backups.
Code:
linux# adb root
linux# adb shell
phone# cd /efs
phone# rm nv_data.bin
phone# rm .nv_data.bak
phone# rm .nv_core.bak
phone# adb push new_nv_data.bin /efs/nv_data.bin
I rebooted the phone and miracle oh miracle. I had my original IMEI back! Not sure if the phone is in optimal condition, but I can make calls and I have mobile data.
Hope any of this may be of any help to anyone. It took me quite a while to figure things out !!
Click to expand...
Click to collapse
dont work on my galaxy s3
I think it's time to get this party started.
There is hope ->> Initial Analysis
I have built a spreadsheet that takes a hexdump of the GPT tables and decodes them.
This provides the means of generating the Partition.xml and Rawprogram.xml.
Also one can learn alot by analyzing the GPT.
With the ability to generate the partition.xml it can then be converted to partitions.txt that the Dragon-Board db_boot_tools (mksdcard) can be used to burn the SD Card.
The ability to build the rawprogram.xml also provides us the opportunity to build EDL roms and flash them using the emmcdl.exe or the QDL download tool for dragonboard.
This means we can build unbrick roms / anything we want and flash it in edl mode unrestricted.
Currently there is available the Factory Samsung EDL Recovery Files for Boot Loader Rev 2.
https://www.needrom.com/download/unbrick-samsung-qualcom-9008-files/
I have looked at them and they are legitimate.
Analyzing the GPT tables included in the EDL package I can determine that these are Standard Qualcomm Bootloaders that operate on a Standard QC partition table.
My theory is that being standard Qualcomm Images the bootloader is unlockable by standard Qualcomm method.
The board_info partition. As seen here.
https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
Another great resource is everything for the dragonboard 820c. Its the same chipset.
A ton of available source code is at our disposal.
In a nutshell because i dont have a lot of time to get into details at the moment.
I ran my first SD Card Test.
Simply burned the Dragonboard 820c SD Rescue image to a sd card.
https://www.96boards.org/documentat...board820c/installation/board-recovery.md.html
To my surprise if you insert this SD Card into the device and boot into download mode.
You will see FRP=OFF.
This proves my theory that the possibility of booting a full system on a sd card is real.
The sd card is read early in the boot chain.
I have to investigate and see exactly how this is setting frp off.
This partition table has the FRP partition.
The note 8 uses the persist partition for the frp switch.
So how the sd card is turing FRP off is the question I am working on answering at the moment.
I can conclude.
The device is definitely reading partitions off the SD Card.
It is beating the FRP lock out of the box.
This means either the stock bootloaders have functionality built in to look for the FRP partition that normally is not present on our devices. Meaning the stock bootloaders can read other partitions of the sd card.
Or somewhere in the boot chain one or more of the dragonboard bootloaders are executing off the sd card.
If that is the case Hope is very Great for us. Dragonboard has available the LK source code that we can modify and build.
Dragonboard also has pre-compiled bootloaders specifically for booting on sd card that we can use.
Also the samsung bootloaders in the EDL files are very promising.
If we can build the aosp system to go with the edl bootloaders ( If they are unlockable ) were golden.
If the Dragonboard Bootloaders are executing on the sd card were even more golden.
If this is the case we can even use the dragonboard 820c AOSP build ( includes sources )
All we really should need to change would relate to hardware differences.
Seems crazy but there is no rational explanation as to how the sd card turns FRP off other than the possibility of somewhere in the boot chain the drangonboard BL is executed on the sdcard.
Unless like i said the samsung bootloaders have the stock qualcomm functionality as well.
Either way you look at it. We defeated the FRP protection by flashing a sdcard and booting with the sdcard in the device. That is enough proof in itself that there is hope.
It would be superb if some of the other Samsung Devs, Like the samfail team would climb on board to work on some of this. I am very skilled in some aspects and in other aspects i could use some help.
Either way give me a couple months and we will be there.
My only question is has anyone ever been actually paid by Samsung for finding Exploits?
From what ive read on there site it says $200,000 K or more for a bootloader unlock.
Makes me wonder if I should be sharing this information with anyone.
But money aside...thats what samsung wants. There using greed against us. They don't want us to work together.
I will be getting into some very deep presentations of my work as time provides.
That way the community can learn and help on this exciting journey.
Damm I still can't believe it turned FRP off. :silly:
Just goes to show ya. Don't doubt it till you try it no matter how far out it may seem. :highfive:
Always follow A String Theory
No pun intended.
A lot can be determined by running the strings command on a elf file. It's sorta google for developers.
Lets take a quick Look.
From the xbl.elf in the edl package.
This is our boot sequence.
SEC Image Loaded, Delta
XBLRamDump Image Loaded, Delta
PMIC Image Loaded, Delta
APDP Image Loaded, Delta
QSEE Dev Config Image Loaded, Delta
QSEE Image Loaded, Delta
QHEE Image Loaded, Delta
RPM Image Loaded, Delta
STI Image Loaded, Delta
ABL Image Loaded, Delta
APPSBL Image Loaded, Delta
DDR Training Image Loaded, Delta
What can we boot from.
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/QcomPkg/XBLLoader/boot_pbl_v2.c
PBL, Start
bootable_media_detect_entry, Start
bootable_media_detect_success, Start
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/QcomPkg/XBLLoader/boot_hash.c
DDR Frequency, %d MHz
PBL Patch Ver: %d
Core 0 Frequency, %d MHz
Boot Interface:
NAND
eMMC
SDCARD
None
Unknown
Locked or Unlocked
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/QcomPkg/XBLLoader/boot_logger.c
Secure Boot:
%s @ 0x%08x = 0x%016llx
%s @ 0x%08x = 0x%08x
Boot Config
JTAG ID
OEM ID
Serial Number
OEM Config Row 0
OEM Config Row 1
Feature Config Row 0
Feature Config Row 1
Raw PTE Row 3
Raw PTE Row 0
Load addresses. Re-Base if you have an IDA.
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/Build/Msm8998LA_Core/RELEASE_CLANG38LINUX/AARCH64/QcomPkg/XBLCore/XBLCore/DEBUG/Sec.dll
[Config]
Version = 3
MaxMemoryRegions = 64
[MemoryMap]
# EFI_RESOURCE_ EFI_RESOURCE_ATTRIBUTE_ EFI_MEMORY_TYPE ARM_REGION_ATTRIBUTE_
#MemBase, MemSize, MemLabel(32 Char.), BuildHob, ResourceType, ResourceAttribute, MemoryType, CacheAttributes
#--------------------- DDR -----
0x80000000, 0x05800000, "Kernel", AddMem, SYS_MEM, SYS_MEM_CAP, Reserv, WRITE_BACK_XN
0x86000000, 0x00200000, "SMEM", AddMem, MEM_RES, UNCACHEABLE, Reserv, UNCACHED_UNBUFFERED_XN
0x94000000, 0x09400000, "DXE Heap", AddMem, SYS_MEM, SYS_MEM_CAP, Conv, WRITE_BACK_XN
0x9D400000, 0x02400000, "Display Reserved", AddMem, MEM_RES, SYS_MEM_CAP, MaxMem, WRITE_BACK_XN
0x9F800000, 0x00200000, "FV Region", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FA00000, 0x00200000, "ABOOT FV", AddMem, SYS_MEM, SYS_MEM_CAP, Reserv, WRITE_BACK_XN
0x9FC00000, 0x00300000, "UEFI FD", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK
0x9FF00000, 0x0008C000, "SEC Heap", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FF8C000, 0x00001000, "CPU Vectors", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK
0x9FF8D000, 0x00003000, "MMU PageTables", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FF90000, 0x00040000, "UEFI Stack", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FFD0000, 0x00027000, "DBI Dump", AddMem, SYS_MEM, SYS_MEM_CAP, RtData, WRITE_BACK_XN
0x9FFF7000, 0x00008000, "Log Buffer", AddMem, SYS_MEM, SYS_MEM_CAP, RtData, WRITE_BACK_XN
0x9FFFF000, 0x00001000, "Info Blk", AddMem, SYS_MEM, SYS_MEM_CAP, RtData, WRITE_BACK_XN
[RegisterMap]
#--------------------- Other -----
0x14680000, 0x00040000, "IMEM Base", NoHob, MMAP_IO, INITIALIZED, Conv, NS_DEVICE
0x146BF000, 0x00001000, "IMEM Cookie Base", AddDev, MMAP_IO, INITIALIZED, Conv, NS_DEVICE
0x16000000, 0x01000000, "QDSS_STM", AddDev, MMAP_IO, INITIALIZED, Conv, NS_DEVICE
#--------------------- Register --
0x00620000, 0x00020000, "UFS_RUMI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00070000, 0x00010000, "BOOT_CONFIG", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00100000, 0x000B0000, "GCC CLK CTL", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00778000, 0x00008000, "RPM MSG RAM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00780000, 0x00007000, "SECURITY CONTROL", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00790000, 0x00010000, "PRNG_CFG_PRNG", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010A3000, 0x00001000, "MPM2_SLP_CNTR", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AA000, 0x00001000, "MPM2_TSENS0", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AB000, 0x00001000, "MPM2_TSENS0_TM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AC000, 0x00001000, "MPM2_PSHOLD", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AD000, 0x00001000, "MPM2_TSENS1", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AE000, 0x00001000, "MPM2_TSENS1_TM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01C00000, 0x00007000, "PCIE WRAPPER AHB", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01DA0000, 0x00020000, "UFS UFS REGS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01DC0000, 0x00040000, "CRYPTO0 CRYPTO", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01FC0000, 0x00026000, "TCSR_TCSR_REGS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x03400000, 0x00C00000, "TLMM CSR", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x08000000, 0x02800000, "PMIC ARB SPMI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x05065000, 0x00009000, "GPUCC", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x06000000, 0x00100000, "QDSS_QDSS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x06400000, 0x00200000, "HMSS_QLL", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0A800000, 0x0011B000, "USB30_PRIM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0A920000, 0x00010000, "USB_RUMI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0C000000, 0x00200000, "PERIPH_SS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0C800000, 0x00800000, "MMSS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17900000, 0x00030000, "QTIMER", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17A00000, 0x00010000, "APCS_GIC500_GICD", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17B00000, 0x00100000, "APCS_GIC500_GICR", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17800000, 0x00100000, "APCS_CC", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x1B000000, 0x01000000, "PCIE WRAPPER AXI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0502A000, 0x00002000, "GPMU_BLOCK0", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x05026000, 0x00002000, "GPMU_DRAM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x05030000, 0x00002000, "GPU_ISENSE", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
[ConfigParameters]
# Update count if more than default 30 entries #
ConfigParameterCount = 52
So at a minimum we can see that this bootloader can boot from sd-card. The address table shows where things are loading in memory. This is good for disassembling the elf files.
I really think the sd card can get us a way in.
The Goal
In the end this is the boot sequence we would like to see.
If you looked at the strings in the previous post you will recognize some of the information here.
================================================================================
Successful boot sequence
================================================================================
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.0-00301
S - IMAGE_VARIANT_STRING=M8996LAB
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu68
S - Boot Interface: UFS
S - Secure Boot: Off
S - Boot Config @ 0x00076044 = 0x000001c9
S - JTAG ID @ 0x000760f4 = 0x4003e0e1
S - OEM ID @ 0x000760f8 = 0x00000000
S - Serial Number @ 0x00074138 = 0x2e8844ce
S - OEM Config Row 0 @ 0x00074188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x00074190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000741a0 = 0x0050000010000100
S - Feature Config Row 1 @ 0x000741a8 = 0x00fff00001ffffff
S - Core 0 Frequency, 1228 MHz
B - 0 - PBL, Start
B - 10412 - bootable_media_detect_entry, Start
B - 47480 - bootable_media_detect_success, Start
B - 47481 - elf_loader_entry, Start
B - 49027 - auth_hash_seg_entry, Start
B - 49129 - auth_hash_seg_exit, Start
B - 82403 - elf_segs_hash_verify_entry, Start
B - 84905 - PBL, End
B - 86955 - SBL1, Start
B - 182969 - usb: hs_phy_nondrive_start
B - 183305 - usb: PLL lock success - 0x3
B - 186294 - usb: hs_phy_nondrive_finish
B - 190442 - boot_flash_init, Start
D - 30 - boot_flash_init, Delta
B - 197548 - sbl1_ddr_set_default_params, Start
D - 30 - sbl1_ddr_set_default_params, Delta
B - 205509 - boot_config_data_table_init, Start
D - 200659 - boot_config_data_table_init, Delta - (60 Bytes)
B - 410713 - CDT Version:3,Platform ID:24,Major ID:1,Minor ID:0,Subtype:0
B - 415410 - Image Load, Start
D - 22570 - PMIC Image Loaded, Delta - (37272 Bytes)
B - 437980 - pm_device_init, Start
B - 443744 - PON REASONM0:0x200000061 PM1:0x200000021
B - 480161 - PM_SET_VAL:Skip
D - 40016 - pm_device_init, Delta
B - 482083 - pm_driver_init, Start
D - 2928 - pm_driver_init, Delta
B - 488671 - pm_sbl_chg_init, Start
D - 91 - pm_sbl_chg_init, Delta
B - 495442 - vsense_init, Start
D - 0 - vsense_init, Delta
B - 505171 - Pre_DDR_clock_init, Start
D - 396 - Pre_DDR_clock_init, Delta
B - 509045 - ddr_initialize_device, Start
B - 512766 - 8996 v3.x detected, Max frequency = 1.8 GHz
B - 522373 - ddr_initialize_device, Delta
B - 522404 - DDR ID, Rank 0, Rank 1, 0x6, 0x300, 0x300
B - 526247 - Basic DDR tests done
B - 594994 - clock_init, Start
D - 274 - clock_init, Delta
B - 598349 - Image Load, Start
D - 4331 - QSEE Dev Config Image Loaded, Delta - (46008 Bytes)
B - 603808 - Image Load, Start
D - 5338 - APDP Image Loaded, Delta - (0 Bytes)
B - 612409 - usb: UFS Serial - 2f490ecf
B - 616801 - usb: fedl, vbus_low
B - 620431 - Image Load, Start
D - 55418 - QSEE Image Loaded, Delta - (1640572 Bytes)
B - 675849 - Image Load, Start
D - 2013 - SEC Image Loaded, Delta - (4096 Bytes)
B - 683413 - sbl1_efs_handle_cookies, Start
D - 457 - sbl1_efs_handle_cookies, Delta
B - 691892 - Image Load, Start
D - 14396 - QHEE Image Loaded, Delta - (254184 Bytes)
B - 706319 - Image Load, Start
D - 14061 - RPM Image Loaded, Delta - (223900 Bytes)
B - 721111 - Image Load, Start
D - 3233 - STI Image Loaded, Delta - (0 Bytes)
B - 727913 - Image Load, Start
D - 34709 - APPSBL Image Loaded, Delta - (748716 Bytes)
B - 762713 - SBL1, End
D - 680028 - SBL1, Delta
S - Flash Throughput, 94000 KB/s (2959024 Bytes, 31250 us)
S - DDR Frequency, 1017 MHz
Android Bootloader - UART_DM Initialized!!!
[0] BUILD_VERSION=
[0] BUILD_DATE=16:07:51 - Nov 17 2017
[0] welcome to lk
[10] platform_init()
[10] target_init()
[10] RPM GLink Init
[10] Opening RPM Glink Port success
[10] Opening SSR Glink Port success
[20] Glink Connection between APPS and RPM established
[20] Glink Connection between APPS and RPM established
[40] UFS init success
[80] Qseecom Init Done in Appsbl
[80] secure app region addr=0x86600000 size=0x2200000[90] TZ App region notif returned with status:0 addr:86600000 size:35651584
[100] TZ App log region register returned with status:0 addr:916d4000 size:4096
[100] Qseecom TZ Init Done in Appsbl
[120] Loading cmnlib done
[120] qseecom_start_app: Loading app keymaster for the first time
[150] <8>keymaster: ""KEYMASTER Init ""
[160] Selected panel: none
Skip panel configuration
[160] pm8x41_get_is_cold_boot: cold boot
[170] boot_verifier: Device is in ORANGE boot state.
[180] Device is unlocked! Skipping verification...
[180] Loading (boot) image (348160): start
[190] Loading (boot) image (348160): done
[190] use_signed_kernel=1, is_unlocked=1, is_tampered=0.
[200] Your device has been unlocked and cant be trusted.
Wait for 5 seconds before proceeding
[5200] mdtp: mdtp_img loaded
[5210] mdtp: is_test_mode: test mode is set to 1
[5210] mdtp: read_metadata: SUCCESS
[5230] LK SEC APP Handle: 0x1
[5230] Return value from recv_data: 14
[5240] Return value from recv_data: 14
[5250] Return value from recv_data: 14
[5260] DTB Total entry: 1, DTB version: 3
[5260] Using DTB entry 0x00000123/00000000/0x00000018/0 for device 0x00000123/00030001/0x00010018/0
[5270] cmdline: androidboot.bootdevice=624000.ufshc androidboot.verifiedbootstate=orange androidboot.veritymode=enforcing androidboot.serialno=2f490ecf androidboot.baseband=apq mdss_mdp.panel=0
[5290] Updating device tree: start
[5290] Updating device tree: done
[5290] Return value from recv_data: 14
[5300] RPM GLINK UnInit
[5300] Qseecom De-Init Done in Appsbl
[5300] booting linux @ 0x80080000, ramdisk @ 0x82200000 (0), tags/device tree @ 0x82000000
[5310] Jumping to kernel via monitor
U-Boot 2017.11-00145-ge895117 (Nov 29 2017 - 10:04:06 +0100)
Qualcomm-DragonBoard 820C
DRAM: 3 GiB
PSCI: v1.0
MMC: [email protected]: 0
In: [email protected]
Out: [email protected]
Err: [email protected]
Net: Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot: 0
switch to partitions #0, OK
mmc0 is current device
Scanning mmc 0:1...
Found /extlinux/extlinux.conf
Retrieving file: /extlinux/extlinux.conf
433 bytes read in 71 ms (5.9 KiB/s)
1: nfs root
Retrieving file: /uImage
19397184 bytes read in 2024 ms (9.1 MiB/s)
append: root=/dev/nfs rw nfsroot=192.168.1.2:/db820c/rootfs,v3,tcp rootwait ip=dhcp consoleblank=0 console=tty0 console=ttyMSM0,115200n8 earlyprintk earlycon=msm_serial_dm,0x75b0000 androidboot.bootdevice=624000.ufshc androidboot.verifiedbootstate=orange androidboot.ver0
Retrieving file: /apq8096-db820c.dtb
38134 bytes read in 37 ms (1005.9 KiB/s)
## Booting kernel from Legacy Image at 95000000 ...
Image Name: Dragonboard820c
Image Type: AArch64 Linux Kernel Image (uncompressed)
Data Size: 19397120 Bytes = 18.5 MiB
Load Address: 80080000
Entry Point: 80080000
Specifically what we want to accomplish.
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.0-00301
S - IMAGE_VARIANT_STRING=M8996LAB
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu68
S - Boot Interface: UFS
S - Secure Boot: Off
S - Boot Config @ 0x00076044 = 0x000001c9
S - JTAG ID @ 0x000760f4 = 0x4003e0e1
S - OEM ID @ 0x000760f8 = 0x00000000
S - Serial Number @ 0x00074138 = 0x2e8844ce
S - OEM Config Row 0 @ 0x00074188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x00074190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000741a0 = 0x0050000010000100
S - Feature Config Row 1 @ 0x000741a8 = 0x00fff00001ffffff
S - Core 0 Frequency, 1228 MHz
B - 0 - PBL, Start
B - 10412 - bootable_media_detect_entry, Start
B - 47480 - bootable_media_detect_success, Start
If we can set this the bootloader is unlocked.
Boot Config @ 0x00076044 = 0x000001c9
From our xbl.elf strings.
Secure Boot:
%s @ 0x%08x = 0x%016llx
%s @ 0x%08x = 0x%08x
Boot Config
JTAG ID
OEM ID
Serial Number
OEM Config Row 0
OEM Config Row 1
Feature Config Row 0
Feature Config Row 1
0x00070000, 0x00010000, "BOOT_CONFIG", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
BigCountry907 said:
This partition table has the FRP partition.
Click to expand...
Click to collapse
The actual FRP partition in this SD recovery image is empty. And so are a bunch of other ones; they all seem to be blanked out with 00s. Maybe they are used for mounting the images? But in that case, what would be responsible for mounting them? I think one of the partitions that actually has an ELF header might be worth looking at.
The sdcard image is for the dragonboard to boot into fastboot mode.
So you are correct. Most of the partitions are empty.
The bootloaders are present on the sdcard.
I havent determined if they are running or not.
The only byte that matters on the FRP partition is the last byte.
00 = FRP Lock Off
01= FRP Lock On.
If you install Liveboot then the log files on bootup are saved.
Looking in that log I can see the sdcard partitions are being mounted.
If you
cat /proc/mounts
You will see many are mounted.
This was just an initial test to see if the sd card would get read on boot.
It does so now im working on building a card with the V2 samfail installed.
My hope is to boot a full system off of the sdcard.
Then development can be done without touching the UFS.
If we can get the bootloaders to run off the sdcard as well this will open a huge door for us.
I will let you know how it goes with my next test.
The thing that is significant thus far is the fact that booting with the sdcard IS SETTING frp LOCK TO OFF.
The normal Samsung Note 8 partition scheme uses Persist and Persistent partition for setting the FRP on or off.
If both persist and persistent are ZERO then FRP = off.
So the stock bootloader will read partitions that are (whitelisted) and verified to be Qualcomm Unique GUID Type.
Possibly even boot a bootloader that is not signed by Samsung but signed by Qualcomm.
If Qualcomm signed bootloaders will run then we can actually compile sign and boot our own bootloader.
Here is how.
https://www.96boards.org/documentation/consumer/dragonboard/dragonboard820c/guides/
Building the SD rescue image
The scripts to build the SD rescue image can be found here:
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader-dragonboard820c.yaml,
where we defined the script parameters and variables
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader/dragonboard820c/builders.sh:
where the actual commands are being executed.
Same Chip so we can use the source code.
I will attach here the first revision of my GPT Decoder Spreadsheet.
It takes the GPT which is the UFS Partition Table and decodes it.
Once the GPT is decoded we can use it to make the following.
Rawprogram.xml >> used for flashing in EDL Mode like emmcdl.exe or dragonboard "QDL"
Partition.xml >> used for making GPT files and the Rawprogram.xml and is used by qualcomm tools like Ptool.py Msp.py ext.
Partitions.txt >> used for flashing sd cards or writable devices using mksdcard script.
So essentially the GPT is the foundation of everything. The GPT is what the samsung .PIT files write.
You can pull the GPT off the device using the shell.
Here are the commands.
The MAIN GPT. Tables
The main GPT is the first 24kb of each device block on the UFS (ie sda, sdb, sdc, sdd)
Code:
adb shell
su
dd if=/dev/block/sda of=/sdcard/gpt_main0.bin bs=1024 count=24
dd if=/dev/block/sdb of=/sdcard/gpt_main1.bin bs=1024 count=24
dd if=/dev/block/sdc of=/sdcard/gpt_main2.bin bs=1024 count=24
dd if=/dev/block/sdd of=/sdcard/gpt_main3.bin bs=1024 count=24
The BACKUP GPT. Tables
The backup GPT is the last 20kb of each device block on the UFS (ie sda, sdb, sdc, sdd)
So the start address of the backup gpt is total size in kb of disk - 20kb.
To get the skip= number you have to take the total kb of the disk and subtract 20 kb from it.
This is for the U2 bootloader.
Code:
adb shell
su
dd if=/dev/block/sda of=/sdcard/backup-sda-gpt.bin bs=1 skip=63916978176
dd if=/dev/block/sdb of=/sdcard/backup-sdb-gpt.bin bs=1 skip=4173824
dd if=/dev/block/sdc of=/sdcard/backup-sdc-gpt.bin bs=1 skip=4173824
dd if=/dev/block/sdd of=/sdcard/backup-sdd-gpt.bin bs=1 skip=62894080
We will be needing someone to pull the GPT tables from all the bootloader versions except for U2.
I am on U2 and this spreadsheet is for U2.
I will need the other GPT tables to build the unbrick for other bootloader versions.
Look at the spreadsheet and the different sheets in it.
You will get an Idea of how it works.
I use formulas and link to the pasted GPT tables to decode them.
This spreadsheet still needs work so some of the data is manually edited at this time.
But for U2 bootloader rev this spreadsheet is correct.
Use open office to use or look at this spreadsheet. << ITS FREE
Use 7z to unzip the files
NEW possibly very Exciting Discovery.
Don't get too excited because i need to verify but from what i see.
In the AP_N950USQS2BQK2_CL12461033_QB15680825_REV00_user_low_ship_MULTI_CERT_meta
There is a folder called meta-data.
In that folder there is a password protected zip called FOTA.
The password is fotatest1234
I see everything in there is to sign files.
Now what im thinking is related to my first ever android hack several years back.
By generating my own .pk8 and .pem keypair I figured out how to dump the publick key into the keyform used to verify the signature of ota zip packages to flash in a stock recovery.
By taking the key dump and replacing it in the recovery /res/keys.
The group of files in the above mentioned zip file is for signing packages and boot and recovery image.
I believe if I can find where the publick half of the keypair for verifying the boot signature I can replace it and sign my boot and recovery with my own keys. The bootloader still verifies the signature but it passes because its verifying my public half of the keypair against a file signed by my keypair.
I might know already where the certificate is. I need to pull out a old tool.
I wrote this shell script years ago for this very purpose. I think its broken slightly. I was working on it and never finished.
But if you know shell code the errors are easy enough to fix.
The setup will work. Its posted here.
https://drive.google.com/file/d/0B8jitdIyh2NtMHo4Q1ZLbFk3aEE/view
There are a couple of threads I wrote about it.
https://androidforums.com/threads/root-rom-recovery-r-d.975147/
Quick Ho to
make a folder in the home dir called auto-key
unzip the file in there
Signing the zip will work with this.
Just use the keys i sent along in the package.
Only thing is if the recovery.img is alot newer you might have to use the new boot tools.
I havent written them in the software yet.
Under the folder boot in auto-key
Put your recovery.img in the boot folder
cd ~/auto-key/boot
type
./mkboot recovery.img new-ramdisk
that will unpack the recovery.
open the new-ramdisk folder
go to /res in the new-ramdisk
there is a file called keys
delete it
go to the the keys folder in auto-key
~./auto-key2/keys/factorykey/res/e-0x3
copy the keys file to the
new-ramdisk/res folder
cd
cd ~/auto-key/boot
type
./mkboot new-ramdisk patched-recovery.img
it will repack the recovery
Then you have to flash patched-recovery.img to the recovery mmcblk of your device.
You will have to use the dd command in adb if you can.
Not sure what type of access you have with the bootloop.
example command may work for you
just make sure that the patched-recovery.img is in the dir that shell is cd to.
then type
adb push patched-recovery.img /storage/sdcard0
or
adb push patched-recovery.img /storage/sdcard1
whichever one is your sd card.
then type
adb shell
su
dd if=/storage/sdcard0/patched-recovery.img of=/dev/block/mmcblk0p?? "make after the p your correct partition for recovery"
To sign files put them in the tosign folder in the auto-key folder
only 1 file ata a time can be in that folder
run akey.sh
select sign files
select option 1 in the sign files menu.
You will find the signed zip in /auto-key/output.
If you need more help let me know
Now Im not saying do all of that. But im saying Im pretty sure I might be able to use this same process to self sign our boot and recovery images. Then we don't need a bootloader unlock.
Our custom boot and recovery will be certified samsung official.
Just a lot to work on now. The sdcard and now the signing project.
Now were starting to have some real fun.
Sorry to be off topic i hope the sanfail team is on board with u
One more writeup about the recovery signature hack
What happens is that the stock recovery checks the public part of the key pair against a file in the recovery.img ram disk. Usually /res/keys. You can locate this call in one of the recovery log files located in the /cache. When you get your device the /res/keys that is in the ramdisk is generated by the manufacture keyset therefore limiting the update.zip to be signed with the manufacturer keys.
So I have tested and found a way to change that. Like I said I have tested and it works. If you pull your stock recovery image or get it from a factory update.
Take that recovery.img and split it into the seperate kernel and ramdisk.
Extract or mount the ramdisk -cpio.
Generate your own set of private keys using the same public exponent as the factory rom.
Example and probably most common: Exponent: 3 (0x3)
Example: Releasekey.x509.pem and Releaseke.pk8 generated with Exponent: 3 (0x3)
Take the new keys and use DumpPublicKey.jar to create a new keys file.
Replace the /res/keys file with the one created from your keys.
Repack the ramdisk.
Repack the recovery.img using the correct offsets.
Either flash the new recovery.img to the device or use fastboot to boot it.
Example: fastboot boot recovery.img
Now take an update.zip and edit the updaterscript so that it will fail at an assert / unless you actually want to flash the update.
Sign the update zip using your .x509.pem and .pk8 keypair. You have to use the signapk.jar with the -w option else it wont work.
It will pass the signature verification of the recovery for sure.
We just did the same thing that the manufacturer does with there keys.
I dont anticipate any problems with the bootloader because the new recovery.img is identical to the original recovery.img except for the /res/key is your key.
The boot loader isn't checking that key "that i know of" so it doesn't know anything is different.
And that is how to load any update you want. You sign it with your own key. You make the recovery.img /res/keys with the matching keys.
Now if you are a developer you could probably figure out how to do all of the above.
Otherwise there is a lot more to it than it seems.
Even if you were able to flash system images, would they still not have to be stock(ish)? Would you not still have to go through the whole rigamarole of obtaining combo bootloaders and disabling dm-verity? What about rebuilding a kernel that is kexec enabled and flashing over the recovery partition to chainload another kernel? Would the bootloader not check the signature since it's already been 'signed'?
BigCountry907 said:
My only question is has anyone ever been actually paid by Samsung for finding Exploits?
From what ive read on there site it says $200,000 K or more for a bootloader unlock.
Makes me wonder if I should be sharing this information with anyone.
But money aside...thats what samsung wants. There using greed against us. They don't want us to work together.
I will be getting into some very deep presentations of my work as time provides.
That way the community can learn and help on this exciting journey.
Damm I still can't believe it turned FRP off. :silly:
Just goes to show ya. Don't doubt it till you try it no matter how far out it may seem. :highfive:
Click to expand...
Click to collapse
i just got paid for a exploit i reported to samsung back in may lol.. it was rated a high vuln.. it was for msm8998 chipsets on 7.0 (only tested on vzw tab s3)
I was listed on sept. security bulletin even lol.. i got 2500$ (1950$ after korea n us taxes n fees n w.e else.)
The exploit (without going into details) allowed flashing a modified partition and executing scripts/commands in init context.. the patch basically said they blocked or removed all init scripts lol
i never reported SamPWND.. it wouldnt be elig anyways bcuz it uses leaked eng firmware with the exploits
if ur sdcard trick does disable frp you cant report it now since u already posted publicly lol
BigCountry907 said:
The thing that is significant thus far is the fact that booting with the sdcard IS SETTING frp LOCK TO OFF.
The normal Samsung Note 8 partition scheme uses Persist and Persistent partition for setting the FRP on or off.
If both persist and persistent are ZERO then FRP = off.
So the stock bootloader will read partitions that are (whitelisted) and verified to be Qualcomm Unique GUID Type.
Possibly even boot a bootloader that is not signed by Samsung but signed by Qualcomm.
If Qualcomm signed bootloaders will run then we can actually compile sign and boot our own bootloader.
Here is how.
https://www.96boards.org/documentation/consumer/dragonboard/dragonboard820c/guides/
Building the SD rescue image
The scripts to build the SD rescue image can be found here:
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader-dragonboard820c.yaml,
where we defined the script parameters and variables
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader/dragonboard820c/builders.sh:
where the actual commands are being executed.
Same Chip so we can use the source code.
Click to expand...
Click to collapse
isnt the note 8 msm8998? the dragonboard strings u posted are for the older msm8996 chipset as well as they are for lab purposes.. theres quite a few differences even without taking into consideration the chipsets are different...
one being samsung.. samsung takes qualcomms firmware/source and customizes the crap out of it.. disabling/removing fastboot, implementing the odin protocol etc etc
i dont think the sdcard approach is viable.. secure boot is enabled and the partitions u speak of flashed to an sdcard are not signed appropriately so the device wouldnot boot up if it was in fact trying to run off the sdcard..
even in edl, edl doesnt per say let the phone boot unsigned firmware.. its merely a flashing mechanism.. so it will allow you to flash just about anything if using signed programmers and everything else is proper but if that firmware is not signed the device will not boot due to secure boot..
the private key is burned into hardware at the factory..
with that being said, i would look at the non volatile partitions that arent required to be signed and see if theres anything there that we can modify to help in unlocking the bl.. partitions like param, or steady or misc etc etc that we could modify and flash in edl and still boot as its not checked for integrity if that makes sense lol
partitions like misc.. on combo you can do in shell "setprop sys.boot_mode ffbm" and itll write ffbm-01 to the misc partition then boot into a special diagnostic mode which you can even see it in the last kmsg/boot logs.. maybe theres a boot mode or somethin similar that turns boot from sdcard on?
dunno bout newer devices but s7 and s6 etc. the unlockable sd variants use crom.apk (their bls have a crom lock)... pushing req libs with root and running logcat while running crom it writes a "KIWIBIRD" flag to the steady partition then when device boots it reads it and bl is unlocked..
On newer locked sd devices theres an eng mode.. theres an eng cert that gets flashed in odin that i believe writes to stead or param, not sure lol but u get the point..
just trying to say theres other routes to look at that i think would be more viable.
i spent close to a year messin with edl on msm8998 (s8+ g955u), it is a viable way in if u can figure it out.. unsigned firmware like boot.img, recovery.img and the usual partitions never booted for me.. always secure check fail even when flashing with edl..
theres an old read but decent and somewhat related to sdcard.. samsung devices used to have an option in odin called t. flash that was supposed to flash the stuff in odin to an sdcard in the device.. i think he crafted a boot.img then tflashed stock or somethin like that lol.. it was yearsago so surely patched unless sammy goofed and quitely re-enabled it lol
to add after reviewing further, the dragonboard 820c is closest to snapdragon 820 which was in the S7 devices.. or similar to msm8996.. note 8 was msm8998 or closer to snapdragon 830? if that exists lol
Rip
dazemc said:
Even if you were able to flash system images, would they still not have to be stock(ish)? Would you not still have to go through the whole rigamarole of obtaining combo bootloaders and disabling dm-verity? What about rebuilding a kernel that is kexec enabled and flashing over the recovery partition to chainload another kernel? Would the bootloader not check the signature since it's already been 'signed'?
Click to expand...
Click to collapse
I'm not saying to do the recovery.img mod.
I'm saying use that as a template to be able to sign our own boot and recovery images.
First
Generating custom signing keys
The following openssl commands generate all the keys we need. Execute them line-by-line rather than copying the whole block, as you will be asked for input.
Code:
# private key
openssl genrsa -f4 -out verifiedboot.pem 2048
openssl pkcs8 -in verifiedboot.pem -topk8 -outform DER -out verifiedboot.pk8 -nocrypt
# public key
openssl req -new -x509 -sha256 -key verifiedboot.pem -out verifiedboot.x509.pem
openssl x509 -outform DER -in verifiedboot.x509.pem -out verifiedboot.x509.der
Second
Signing the boot image
Using the BootSignature.jar file sign the boot image using the keys generated above
If we look in that fota.zip
the path is /fota/OTA/tools
We have a boot_signer.sh and BootSignature.jar
Looking in the boot signer script we see.
#! /bin/sh
# Start-up script for BootSigner
BOOTSIGNER_HOME=`dirname "$0"`
BOOTSIGNER_HOME=`dirname "$BOOTSIGNER_HOME"`
java -Xmx512M -jar "$BOOTSIGNER_HOME"/framework/BootSignature.jar "[email protected]"
So to sign the boot image our command would be.
Code:
java -Xmx512M -jar BootSignature.jar /boot boot.img verifiedboot.pk8 verifiedboot.x509.der boot_signed.img
To check the signature
Code:
java -jar BootSignature.jar -verify boot_signed.img
Now if we had Samsungs .pk8 and samsungs .x509.der things would be easy.
The .x509.der we can get off the device its got to be in the ramdisk.
But the .pk8 is the private key and usually we can't get that.
The thing is maybe we can.
The variable "[email protected]" has to be these keys and if the boot.img is getting signed on the device after a patch or update then its hiding somwhere. If we can find that we can sign our own boot.img and the device will say there samsung official.
The other option is where I was talking about what I did to the recovery image.
Some Where there is the KEY used to verify to boot.img signature.
In the case of the recovery and flashing update zips it it the /res/keys found in the ramdisk.
The /res/keys is a dumped form of the keypair made by using dumpkey.jar also found in the /fota/OTA/tools.
By running dumpkey.jar against our custom signing keys we get the form of the key used in /res/keys.
If the boot.img signature scheme used the same method all we need to know is where the equivalent /res/keys is at and replace it with ours.
It could very well be in the ramdisk.
For me to make this work what i need to know is where is the KEY that is used to verify the boot.img signature.
Or if we can get the "[email protected]" variable output in the boot_signer script then we will have both keys.
I highly doubt but it could be possible there hard coded in the BootSignature.jar thats in the fota folder.
It would be helpful if I had a copy of any OTA Update that someone pulled off a device before they installed the update. Preferably a full update from one android version to the next like going from N to O
MY Questions are.
Anyone out there have a copy of a OTA Update?
Anyone know the location of the KEY used to verify the Boot signature?
Has anyone installed an update and seen the update package unpack / repack and sign the boot.img or any log refering to the verification of the boot signature.
If the update unpacked the boot then it had to sign it.
Hopefully you understand now what direction I am headed in with Auto-Key script.
All the code to manipulate the keys I have written in the akey.sh already.
If we can sign our own boot and recovery we don't need to unlock the bootloader.
My final question is
Is the Kernel signed also? Or since the DM-Verity days are they only relying on the boot.img signature.
elliwigy said:
i just got paid for a exploit i reported to samsung back in may lol.. it was rated a high vuln.. it was for msm8998 chipsets on 7.0 (only tested on vzw tab s3)
I was listed on sept. security bulletin even lol.. i got 2500$ (1950$ after korea n us taxes n fees n w.e else.)
The exploit (without going into details) allowed flashing a modified partition and executing scripts/commands in init context.. the patch basically said they blocked or removed all init scripts lol
i never reported SamPWND.. it wouldnt be elig anyways bcuz it uses leaked eng firmware with the exploits
if ur sdcard trick does disable frp you cant report it now since u already posted publicly lol
Click to expand...
Click to collapse
I wasn't thinking of reporting the FRP trick.
There are a ton of ways to accomplish the same thing.
If you
Code:
dd if=/dev/zero /dev/block/sda5
and
Code:
dd if=/dev/zero /dev/block/sda12
Well FRP lock = off.
I just hate the Idea of someone using my work to profit from samsung.
I love for people to use my work and to contribute to it to help everyone.
So screw the money I just want to help.
Cool to know that you did get paid though.
elliwigy said:
isnt the note 8 msm8998? the dragonboard strings u posted are for the older msm8996 chipset as well as they are for lab purposes.. theres quite a few differences even without taking into consideration the chipsets are different...
Click to expand...
Click to collapse
This is the main reason I like the Samsung EDL Bootloaders.
one being samsung.. samsung takes qualcomms firmware/source and customizes the crap out of it.. disabling/removing fastboot, implementing the odin protocol etc etc
Click to expand...
Click to collapse
The EDL package is QUALCOMM. It lacks the Samsung Customization.
If it is possible to take those bootloaders that are signed and build the rest of the android system its hard to tell what we could end up with. Maybe the bootloaders in the EDL have the ability to be unlocked by the normal Qualcomm method that utilizez the DEVINFO partition that is present on our devices.
Have you looked at that yet?
Code:
greatqlte:/ # hexdump -C -v /sdcard/devinfo.img
00000000 41 4e 44 52 4f 49 44 2d 42 4f 4f 54 21 01 01 00 |ANDROID-BOOT!...|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Looks Pretty Familiar.
Bootloader Unlocking
For some devices, such as several Xiaomi ones, partition flashing is sufficient for being able to unlock the Android Bootloader (which disables the verification of the rest of the chain):
[Primary Bootloader (PBL)]
|
`---NORMAL BOOT---.
[Secondary Bootloader (SBL)]
|-.
| [Applications Bootloader (ABOOT)]
| `-.
| [boot.img]
| |-- Linux Kernel
| `-- initramfs
| `-.
| [system.img]
|
`-[TrustZone]
The bootloader locking bit of such devices is held in the devinfo partition, parsed by the Android Bootloader.
Attackers can simply flip the lock bit, to load an arbitrary boot image. This will not cause any factory reset.
Reading devinfo using our framework prior to the attack yields the following output:
> hexdump devinfo.bin
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00 ANDROID-BOOT!...
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Setting 1 at offsets 0x10, 0x18, and flashing the modified devinfo will unlock the bootloader:
No im not saying that Ive tested this yet. But it is a possibility.
My guess is that the EDL bootloaders that Lack Samsung Customization including KNOX might and I say again Might read the devinfo partition.
It is there for some reason. So the Question is Why??? What does it do.
That is the reason for my interest in the EDL Firmware.
Code:
i dont think the sdcard approach is viable.. secure boot is enabled and the partitions u speak of flashed to an sdcard are not signed appropriately so the device wouldnot boot up if it was in fact trying to run off the sdcard.
Again this is misinterpretation.
I'm not saying we are going to run the dragonboard firmware on our devices.
If you know the dragonboard tools some of them are very useful.
It is proven already the sd card can indeed influence the devices operation.
Basically I am utilizing some dragonboard tools to replicate what odin does to the sdcard when you use T-FLASH.
The sd card is very viable and a great means of testing. BUT also a lot of work.
Dragonboard 820 is as close to the actual source code we are going to get right now.
If you dig down in the bootloaders you will find many reference to msm8996 source code.
The msm8996 and msm8998 share a lot.
And Little Kernel is Little Kernel.
Liarno has good source trees that are for building LK with different functions.
If we can unlock the bootloader and run our own LK thats sure where id start.
Also for understanding how LK works and the different functions what better of a source than a very well documented one.
I actually have quite a bit of Leaked Qualcomm Source Code. Its a bit older but still very viable.
More than enough to understand how the security mechanisms work if you really dig into it.
partitions like misc.. on combo you can do in shell "setprop sys.boot_mode ffbm" and itll write ffbm-01 to the misc partition then boot into a special diagnostic mode which you can even see it in the last kmsg/boot logs.. maybe theres a boot mode or somethin similar that turns boot from sdcard on?
Click to expand...
Click to collapse
Thank You very much for pointing this out.
There are uses for that for sure.
The sd card working or not working to accomplish anything all depends on how the samsung and the EDL bootloaders are written.
THEY DO SUPPORT THE SD.
I'm just looking for that one quirk that gets us a way in.
Its like looking for a needle in a haystack.
Its never expected to be there and found entirely by mistake. After you step on it.
If you don't play in the haystack you will never step on the needle.
Thank you again for your insight. If you have any other knowledge of things like that it all helps.
Maybe that is a way to trigger the SD.
The process of debating always leads to something.
Like setprop sys.boot_mode ffbm.
If everyone shares there finds eventually putting them all together gets something accomplished.
pbedard said:
Rip
Click to expand...
Click to collapse
RIP what?
This party is just getting started.
Pay attention.....you might be surprised how much you can learn.