Related
hi all
my theory is this but i ask all of you first if this has already been tried, With OTA updates these are all signed with i imagine official OTA keys so your device will install the update no matter what.
Now my question is, is there any way of reverse engineering the OTA signed zip files to figure out what these keys are so that we can make a ROM that will enable root on devices with Perfect SPLs
all information is appreciated
Thank you
If you have any place for me to download the T-Mobile OTA updates I'd be happy to look at them for you
Im not a proggrammer or lwayer, so take my word with a pinch of salt. Wouldnt this need reverse engineering? Making this whole deal illegal?
Required reading:
http://en.wikipedia.org/wiki/Public-key_cryptography
aron7awol said:
Required reading:
http://en.wikipedia.org/wiki/Public-key_cryptography
Click to expand...
Click to collapse
This. We need T-Mobile's private keys to sign the update, which won't be happening. If you can "reverse engineer" that then get ready to be famous, cause you just broke modern cryptography.
keemyb said:
Im not a proggrammer or lwayer, so take my word with a pinch of salt. Wouldnt this need reverse engineering? Making this whole deal illegal?
Click to expand...
Click to collapse
Depends on what country you live in. In the US, probably. In most other countries....probably not.
Those who know little about serious cryptography often assume that a particular encryption method is safe if nobody has cracked it. However, as the eminent cryptographer Bruce Schneier pointed out in his Crypto-Gram Newsletter dated 15 February 2003, "That's actually backwards. In the world of cryptography, we assume something is broken until we have evidence to the contrary." By this he means that an encryption method can be fully trusted only if it has been subject to rigorous and critical analysis by experts to check its resistance to all known cryptanalytic attacks.
While it is true that it's pretty much impossible to crack it, you can delete the keys and make your own. Although, I'm not exactly sure this is what he is looking for...
its encrypted, although you have a public key, you cant change a update since it breaks the signature... you also cant sign an update since you dont have the private keys... basically, no.
It depends on the strength of the encryption if it is AES-128 good luck you ain't never cracking it. If its RSA-512 It could be cracked by 1 person in 2 months. Or by a team of people say using boinc in 2 days. We cracked all the OS signing keys for the Entire line of Texas Instrument Graphing Calculators got a DMCA take down as well. We got EFF lawyers working to make sure we can keep working.
http://www.ticalc.org/archives/news/articles/14/145/145273.html
http://www.ticalc.org/archives/news/articles/14/145/145377.html
Isnt it illegal though to be cracking this stuff?
Not saying you would get caught but if you did you may or may not be charged.
But its easy to root so why try another approach?
What would make it illegal?
YOU own the equipment.
The modifications you do to your equipment do NOT enable you to break the law and DEFINITELY do not MAKE you do illegal things.
wow thanks for everyones replies, the only reason i question is for all the new android devices come with perfected SPLs which either conquer or make it very hard to gain root, so my theory was if we could get these keys we could make Roms signed by 'android' which would contain modified SPLs and recoverys
A will a way..
With modern encryption ..there are very few people who understand it..IT CAN BE BROKEN. NOw if u want to read about a sort of physical encryption check out quantum cryptograpy.
sync3 said:
With modern encryption ..there are very few people who understand it..IT CAN BE BROKEN. NOw if u want to read about a sort of physical encryption check out quantum cryptograpy.
Click to expand...
Click to collapse
im seeking some help on cracking this on a specialised java programming site so hopefully with some success we may have a solution
redmdc said:
im seeking some help on cracking this on a specialised java programming site so hopefully with some success we may have a solution
Click to expand...
Click to collapse
It's still a terrible idea. You'll make T-Mo very, very angry at both you and XDA, with almost zero real gain. The rooting process is trivial, and it works. I'd also recommend talking to a lawyer if you really intend to proceed.
its only for personal gain 'wink wink' i can do what i want with my own device as long as i do not distribute it intentionally
Actually, so long as you don't distribute any code or products themselves considered proprietary to T-Mobile, if you reverse-engineer their encryption key, there's nothing they can legally do about it.
What I mean by the above is that if we treat the decryption process in a manner similar to how Cyanogen does his current ROMs, and stick to simply releasing OSS-derived code, there's really nothing that T-Mo or anyone else can do 'bout it. The trouble with this is that it would require somehow maintaining the drivers for the SPLs on the device while only modifying the portions that lead to root.
I ASK THAT YOU READ ALL THIS BEFORE I GET TO THE FIX, BECAUSE THIS IS A MULTILAYERED TOPIC. I WANT EVERYONE TO READ THIS, NOT JUST DEVS OR SENIORS, BUT ALL THE LURKERS AND MEMBERS WHO'VE NEVER POSTED. I WILL ACCEPT ALL SUGGESTIONS AND IDEAS.
THAT MEANS YOU. AND YOU. AND THATS RIGHT...EVEN YOU!
IN THIS POST, I WILL DISCUSS BRIEFLY MY PLANS FOR THE FUTURE OF MY HERO, HOW I WILL BRING MY SUCCESS TO PHONES AROUND THE USA, HOW I WILL JOIN THE LEAUGES OF DAMAGE, AND FLIPZ, AND ESPECIALLY DARCH, WHO WHILE WATCHED FROM A DISTANCE, WHEN THE TIME CAME FOR IT, BROUGHT ME THE ANSWER. AT THE END, I HAVE A VERY IMPORTANT QUESTION, TO BE FOLLOWED BY THE FIX[EDIT: REALITY; COMING SOON][sooner with your support!]
3 year lurker. xda is the only forum I've taken apart of in the community, and to a small sucess. I've actaully managed to help, learn, and now its time I give back to the community.
I FIRMLY BELIEVE I HAVE THE SKILLS REQUIRED TO BRING SOMETHING NEW TO THE TABLE, AND HAVE ENOUGH TO SPLIT IT BETWEEN EVERY PERSON SITTING AT THAT TABLE. WILL YOU JOIN ME AT THIS TABLE?
If anyone has ever looked at my profile, then you know I've only been a member since March 25th, and have been made a senior in just over a week(not that I'm bragging...). I'm no spammer, all my posts have been legit, and I have actually helped people. I still consider myself a noob, but I do believe I have earned my seniority, and hopefully the support of all the main devs, who have helped me beyond belief, and have responded to any major question I had, especially with what Ive been working on lately.
If you've logged on within the past 2 weeks, and followed my posts at all, then you know that even if I dont know the answer, I offer suggestions, and more importantly support. I distinguish flames, stomp on the trolls, and still manage to bring my ideas to the table, so its time to test and see if I can make these idea's come true.
I cannot do this without your help.
I am now going to quote one the the best devs on this forum, with the fix.
darchstar said:
mountaindont said:
wanna hop over on my trackball fix thread?
im so damn close, i can see the lights!
...get it?
im uploading the directory we gotta mess with now. i just know you can help!!
Click to expand...
Click to collapse
I think you're best bet would be to write an app to keep the trackball light forever on instead of trying to rewrite most of the frameworks and deal with all the dependencies to fix the trackball light.
if you really want to go and make the trackball stay always on by rewriting some code, i'd suggest you first look inside the framework jars with baksmali and find any lines which reference to the trackball, and see if you can somehow manipulate it to constantly echo 1 to the trackball led device in /dev to constantly stay on.
Click to expand...
Click to collapse
If I'm going to start understanding the Android platform to the degree that Darch and co do, the best place to start would be writing my first application (this will expose me to the framework, the commands, and how to manipulate the OS like never before). Something I've looked into, and have tried a couple things.
-keeping in mind, that in all reality, Sprints final release will give the option to decide light or touch responsive...at least, I hope so...-
I get my laptop back tomaro, and I will be studying the SDK to the T, and with the support of you guys, I will write an app to work on any 2.1 ROM, that will give you the option to keep the trackball light on or let it remain light sensitive[beta, first release] and eventually, options that will blow your mind. Things that handcent might incorporate, so you only have to use this app to pimp out the stock messaging app. Speed of flash. Customize vibration. Haptic feedback when clicking the trackball (links, function buttons, or just sitting on your homescreen, and you get that urge to just enjoy the pleasure of your customized vibration.) [future release, always FREE]
I dont know how long it will take me to learn the SDK enough to set something up from nothing and make this farfetched idea. I was hoping that someone could give me the scource code to a related app; handcent would be amazing, but something like Trackball Alert for the nexus one (its something, not nothing :-\) would be cool too. Or if you have programming skills, please, lets team up, I'm reading tutorials now. If I can complete "Hello Android", I'm sure I can make this happen.
THIS IS THE QUESTION THAT I ASK OF THE ENTIRE XDA COMMUNITY (lurkers, seniors, devs, and members who just want to test and give feed back)
WILL YOU SUPPORT ME?
If I ask a question (dont worry, this thread your reading now has gone through four topic changes to avoid clutter, I'll be sticking with this thread for updates, releases, and changelogs -
I might start one more thread to keep up on bugs-) will you help? Will you subscribe and help my idea come to life, and bring a whole new customization option app. Will the main devs take part, seeing as how this app could very well be included in future releases of their ROMS (I'll talk about my ROM idea's in another update) Will the seniors with a sick attitude be able to put their frustrations and rude answers in their pocket while posting in this thread? Bring positive energy in, with advice and sugestions, and crys of "good luck!"?
If its a team effort, its hardly an effort at all.
the basis of what what we have so far. i know what files need to be edited, this time im sure its [sys/class/leds/button-backlight] in this directory, there are sensor files, a "trigger file"(quite sure this will play a major role) that contains a series of commands that seem to tell the backlights and sensors how and when to act. I'm sure apps like Handcent and Trackball alert mess with the same files (and if not, what do they mess with to make these changes? would installing and taking a look at the permissions be a good place to start?). Anyone know how to get in touch with the devs, or some scource code of an app that affects the trackball? This would be a great start.
[/\]
quick rundown of my rom idea's. some of you read my MAJOR INTERNAL MEMORY ISSUE thread, which you all rose magnificently to the occasion, and I couldnt be happier. It was true team work, something I know we can do if we just unite like we did yesterday. You all solved my problem, and have proven to me the members of XDA are capable of anything, especially when united.
the fact is, damages latest leaks are the best platform to build upon, as when the final release surfaces, and we get an official RUU, it will work truely flawlessly. so this is most certainly what we need to base the app off of at first, as its the only one with the closest trackball fix. if darch and flipz n fresh all want to encorporate it into their ROMS, they more than entitled too, as I hope to get help from them in certain areas. my issue with the latest sprint leak: the OS is so big, it leaves you with barely any internal memory, and you pretty much have no choice but to use a2sd. ive never had to use a2sd on my hero, and this is disppointing (damage, this is NOT a shot at you, its a fact, one I plan on helping you adress. im in the middle of working on a cleaner foundation for you to work on). the rom will be fully "sensable" with some tweaks like that of no other. i will build on the foundation you've laid, to create a new foundation for you to build on (once more leaks surface)
[/\]
im off for the day, except for occasionaly visits on my Hero, so please feel free to comment. I'm looking for someone to help build this app, so anyone with app programming skills, PM your GTALK and we can chat about idea's. in the meantime, maybe someone knows a open scource app that would allow us to build off?
dear damage, darch, and flipz, please PM me your GTALK if your interested...although I could understand if your too busy with your ROMS, I dont mind taking on the load, as long as I have your support, and can ask for help. i will not cross the line and ask for the RUU's you've been getting damage, but I would love to hear your plans for future releases, whether or not you might be interested in using my app and perhaps help developing it.
c.a.l.i.n.g. a.l.l. d.e.v.s.
It is light sensitive tested by placing finger over the sensor above the sprint logo (upper right) flicked the track ball it comes on. Hopefully that helps beleive me I know how it is when you ask a question or look for help and you get nothing
mrbook said:
It is light sensitive tested by placing finger over the sensor above the sprint logo (upper right) flicked the track ball it comes on. Hopefully that helps beleive me I know how it is when you ask a question or look for help and you get nothing
Click to expand...
Click to collapse
a quick search in damages.thread (which i hate doing, his threads fill so fast.and questions get buried, right along with the answer) gave me the same conclusion. but the fact is, i want a constant trackball led, and im sure if people had the option, more people would want it too. most view it as a minimal bug, so dont bother. i guess, for me, the other bugs are so minimal that the trackballs led has become the biggest issue.
could someone please help? i spend alot of time on here helping as much as i can, id really appreciate it if someone with the same desired goal could devote some time to it. id be willing to help in any manner.
im sitting in my basement with all the lights out posting this, just to spend time with my long lost tb led.
BUMP
Did you try to turn off the Auto brightness feature for the display to see if this stops the Trackball from not turning on?
dcdave63 said:
Did you try to turn off the Auto brightness feature for the display to see if this stops the Trackball from not turning on?
Click to expand...
Click to collapse
I have auto brightness off and it has no effect on trackball led.....
chfields said:
I have auto brightness off and it has no effect on trackball led.....
Click to expand...
Click to collapse
yes ive been playing with the power control widget since first flash. no joy. thanks for the idea, have anymore?
anyone?
bumpedybumpbump
Trackball Alert
There's a dude from the uk that builds an app for N1 that brings the ability to choose your own color and rate of the trackball lite. Try to send him an email see if he wants to jump in. The app is called Trackball alert. Its says its only for the N1 though.
Hope you can find a solution.
energizer1389 said:
There's a dude from the uk that builds an app for N1 that brings the ability to choose your own color and rate of the trackball lite. Try to send him an email see if he wants to jump in. The app is called Trackball alert. Its says its only for the N1 though.
Hope you can find a solution.
Click to expand...
Click to collapse
yeah ive seen the app. i will make sure to do that, i hope the brits want to help.
im sure us on xda.could find a solution, however.
i really hope sprint doesnt plan on releasing 2.1 like this. id be sorely disappointed.
Believe me, I understand what it's like to have a feature that's important to me and nobody else seems to care about. We all paid good money for these phones, and continue to pay good money every month for service, so I think that gives us each the right to at least ask about the things that we care about. (Well, unless you're trying to use Sprint VVM instead of GV. That's just plain dumb.....)
As far as the trackball light behavior goes, I think your probably screwed. That's something that will most likely have to be changed in the source code of whatever is controlling it. That seems to me like something that's probably coded in at a very low level of the OS itself. (Well, not the OS, actually. The OS is Linux. But it's probably hardcoded into the Android framework.)
As good a job as the rom devs on xda do, it's not like they're actually creating this software. They're just taking what others have created and packaging it in a way that works on our phones. My guess is that the people who can make the change you're asking for work in HTC's offices...
As far as the different colors, good luck. There's a reason that tweak only works on the N1. It's the only phone that has different colored LEDs back there to light up. You can be the best programmer in the world, but you still can't turn on a red light if the only light available is white......
subliminalurge said:
Believe me, I understand what it's like to have a feature that's important to me and nobody else seems to care about. We all paid good money for these phones, and continue to pay good money every month for service, so I think that gives us each the right to at least ask about the things that we care about. (Well, unless you're trying to use Sprint VVM instead of GV. That's just plain dumb.....)
As far as the trackball light behavior goes, I think your probably screwed. That's something that will most likely have to be changed in the source code of whatever is controlling it. That seems to me like something that's probably coded in at a very low level of the OS itself. (Well, not the OS, actually. The OS is Linux. But it's probably hardcoded into the Android framework.)
As good a job as the rom devs on xda do, it's not like they're actually creating this software. They're just taking what others have created and packaging it in a way that works on our phones. My guess is that the people who can make the change you're asking for work in HTC's offices...
As far as the different colors, good luck. There's a reason that tweak only works on the N1. It's the only phone that has different colored LEDs back there to light up. You can be the best programmer in the world, but you still can't turn on a red light if the only light available is white......
Click to expand...
Click to collapse
i exchanged a pm woth regaw, who is working closely with damage in building and testing the leaks. he seems fairly certain its a matter of messing with an xml file. lets cross our fingers for more information.
anyone have any clue what.xml file defines when and how the tb lights up?
mountaindont said:
he seems fairly certain its a matter of messing with an xml file. lets cross our fingers for more information.
Click to expand...
Click to collapse
That could be, too. Will be cool if it is. I'm still working on getting a full understanding of the Android framework, but that could be in an xml file now that I think about it.
That said, I stand by my point that these guys aren't exactly writing software from scratch. There comes a point where they can only do so much with the programs that they're repackaging.
Once that point is reached, it's really not fair or realistic to ask them to do much more until the real developers release new software and it gets leaked again.
subliminalurge said:
That could be, too. Will be cool if it is. I'm still working on getting a full understanding of the Android framework, but that could be in an xml file now that I think about it.
That said, I stand by my point that these guys aren't exactly writing software from scratch. There comes a point where they can only do so much with the programs that they're repackaging.
Once that point is reached, it's really not fair or realistic to ask them to do much more until the real developers release new software and it gets leaked again.
Click to expand...
Click to collapse
i comletely understand what you mean, and whole heartidly agree. damage is getting these leaks from someone and simply modifying for beytter performance, and working out the bugs sprint hasnt quite got ironed out yet.
but!
originally, these 2.1 roms were based on the eris and legend leaks, meaning the devs have a sound understanding of taking the given software and rewriting it to work on the sprint network/our hardware
it can be done, a simple edit of an xml file, and if we team up, i see no reason it couldnt be done, and rather easily at that.
i dp regret i have no knowledge in this regard, but i know its a patch alot of peoe would jump on and definatly appreciate. damage and all the rest are artists, maybe its time we give baxk, ya know? i wish i could be more of a help, but for.now, all i can do it bring the devs together in hopes to make a speedy and stable patch.
if any devs are reading this, i just want you to know us here at xda do appreciate your work, and i hope us joes.can give back in someway.
i guess edits dont bump lol
sooo...
ahem
BUMP!
bumpedybumpbump
can someone help?
is no one awake?
its fridaaaaay!
im off for the night...any late night noobs or pros wanna take a look, you can easily use root explorer to view and edit the files, hopefully youll have more luck than i have (remember its a xml file!)
sys/class/leds/button-backlight/
gnite
correct me if I'm wrong, but I didn't think Damaged2.15 even touches those portions of the OS. I think you should be looking in the /system/lib/hw/ folder.
robchaos said:
correct me if I'm wrong, but I didn't think Damaged2.15 even touches those portions of the OS. I think you should be looking in the /system/lib/hw/ folder.
Click to expand...
Click to collapse
okokokok, let me take a look
!!!!
I think that there are conflicts within there. most of those files are self explanitory, but what are the gralloc.default.so and gralloc.msm7k.so libs? IIRC the droid guys had keyboard issues and those files were included in the fix, so its possible they affect the lighting in some way. I don't think we can pull those files though, it didn't seem to want to boot after that. I think gralloc also has to do with opengl.
robchaos said:
correct me if I'm wrong, but I didn't think Damaged2.15 even touches those portions of the OS. I think you should be looking in the /system/lib/hw/ folder.
Click to expand...
Click to collapse
dammit, i was just trying to sleep.
i was told the file we need is an xml file, and i dont see any in there. HOWEVER; i do see lights.msm7k.so
and sensors.goldfish.so/sensors.heroc.so
which one should i look at first?
robchaos said:
I think that there are conflicts within there. most of those files are self explanitory, but what are the gralloc.default.so and gralloc.msm7k.so libs? IIRC the droid guys had keyboard issues and those files were included in the fix, so its possible they affect the lighting in some way. I don't think we can pull those files though, it didn't seem to want to boot after that. I think gralloc also has to do with opengl.
Click to expand...
Click to collapse
i was wondering what those two were also...no idea
i DO know the file we need to fix is xlm file...should be just a change of a command (or perhaps an addon) but i dont see a single xlm in the entire system/ folder...
suggestions?
Hi,
i've been following the progress on Milestone hacking quite a while now.
Some days ago i started intensive research on the Milestone hardware myself
So here's the some interesting discovery.
Thanks goes out to XVilka for putting this down on the wiki so fast
Of course this is just the starting point for a new hunting....
As you might see many signals are not identified yet.
Essential:
TDO
TDI
TMS
TCK
RTCK
Possible:
EMU0
EMU1
Optional:
DEBUG_UART_RX
Someone needs unsolder the CPU and trace these signals on the mainboard.
So if you got a broken mainboard it would be welcome for scientific examination
This of course would not give us an open bootloader, but might open the door for some promising attempts to debug the platform more intensely.
UPDATE:
All signals had been identified. Unfortunately JTAG access to ARM core and other units is blocked.
EDIT:
O.k. now that xvilka had put my detailed pics in the droid-developers wiki, no need to hide it anymore
Find my updated pics attached.
In fact JTAG access is blocked by the security mechanism on the Milestone.
So all that is accessible is the main TAP controller... everything else is blocked.
No access to the ARM core... nothing except ID could be retrieved.
Have a look at my resignation post here:
http://forum.xda-developers.com/showpost.php?p=11759352&postcount=54
Anyway the journey was a fun thing and i learned a lot of the ARM core internals including TAP units inside OMAP
The craziest thing was, to realize that all this incredible security stuff really depends on one hard-coded bit... called the "HS-Bit".
If you need more infos tell me!!
Cheers,
scholbert
Software tool
We might use the famous OpenOCD for debugging, once we got the full pinout.
Look here for further details about it:
http://elinux.org/BeagleBoardOpenOCD
Have fun!
scholbert
This looks very much fun, but how is this going to benefit an end user?
^^ How does "unlocked bootloader" sound to you
Well said and nice to see some reaction here also.
Sure that's fun... at least for me... and it's to widen your knowledge
I've joined this forum some time ago and it is still called xda-developers.
Maybe i'm little old-fashioned but that's what is still driving me... development
By initiating this thread i was aware there's no benefit for the end user right now,
but the more people stumble over here, the more there's a chance to find some other enthusiasts following this path.
I'm aware that the magic parts are missing.
We need someone willing to do wicked stuff and equipped with professional equipment to unsolder parts from the mainboard.
Once to the remaining signals could be traced, there's a lot play with.
Unlike other devices the core elements of the hardware residing in the Milestone are pretty well documented and lot of software tools exist.
I'm pretty sure there's a way to find a nicer backdoor on this locked down device.
The market is fast though and maybe some day there'll be a device you could use to fly with... even as an end user
Anyway, would be nice to talk about.
Best regards,
scholbert
if thats true, then that'd be great. but the guy says "This of course would not give us an open bootloader" in his first post.
good luck scholbert!!
AbdouRetro said:
if thats true, then that'd be great. but the guy says "This of course would not give us an open bootloader" in his first post.
Click to expand...
Click to collapse
Yes, having a working JTAG is not going to open the bootloader. But will give something very important - access to the CPU and flash without having any working code - read "bootloader development".
Sent from my Milestone using Tapatalk
scholbert, if u have flash access then u can write to some very privileged areas, does that mean u can make the processor boot into general purpose mode?
AbdouRetro said:
scholbert, if u have flash access then u can write to some very privileged areas, does that mean u can make the processor boot into general purpose mode?
Click to expand...
Click to collapse
Privileged areas is a nice word
....but yes, if it's in NAND you may access it easily using JTAG.
AFAIK the HS mode is hard coded into OMAP3430, so booting into GP mode will never happen i guess.
EDIT:
Just had a short glimpse at the OMAP3430 TRM, there's the register CONTROL_PRODUCTION_ID @ 0x4830_A210 to check for GP mode (ID = 0xF0).
On milestone this ID is obviously different and it is hardcoded with efuse.
The ROM bootloader checks this register and could not be rewritten because it's OTP.
Regards,
scholbert
scholbert said:
Privileged areas is a nice word
....but yes, if it's in NAND you may access it easily using JTAG.
AFAIK the HS mode is hard coded into OMAP3430, so booting into GP mode will never happen i guess.
EDIT:
Just had a short glimpse at the OMAP3430 TRM, there's the register CONTROL_PRODUCTION_ID @ 0x4830_A210 to check for GP mode (ID = 0xF0).
On milestone this ID is obviously different and i guess it's hardcoded.
The ROM bootloader checks this register and could not be rewritten because it's OTP.
Regards,
scholbert
Click to expand...
Click to collapse
Sir, I was wondering if a bricked device would be okay for this (by bricked I mean someone [not me of course ] flashed some ****ty firmware and it doesn't boot now), if it is so then I think I visit a few shops and ask around in the "black" market for a bricked device.
I don't think motorola has the capacity to manufacture things so different for the milestone and droid. its enough cost that they use different radios!!
I'm hoping its an external chip/trace that controls which mode it boots.
in the chip block diagram on the site, there's an internal boot rom, do we have that??
reminds me of the xbox360...
Quintasan said:
Sir, I was wondering if a bricked device would be okay for this (by bricked I mean someone [not me of course ] flashed some ****ty firmware and it doesn't boot now), if it is so then I think I visit a few shops and ask around in the "black" market for a bricked device.
Click to expand...
Click to collapse
Sure a bricked device would do, even a partly physical damaged device will do. As i said before the CPU needs to be unsoldered to trace some signals.
EDIT: Just a remark, because you talk about "black" market.... please don't buy any stolen phones or something.
AbdouRetro said:
I don't think motorola has the capacity to manufacture things so different for the milestone and droid. its enough cost that they use different radios!!
I'm hoping its an external chip/trace that controls which mode it boots.
in the chip block diagram on the site, there's an internal boot rom, do we have that??
Click to expand...
Click to collapse
Of course there's a boot ROM, all modern OMAP got this OTP memory implemented.
Have a look at:
https://www.droid-developers.org/wiki/Main_Page
You'll find very interesting and useful information....
Concerning capacities...
Sure they have and obviously Motorola is one of the big customers of Ti.
Apart form the device ID there are also different boot ROMs for different platforms.
This is simply called customizing
TI does it, Qualcomm does it, whoever builds ARM SoC's may do it.
Also Ti's eFuse technology gives the customer (e.g. Motorola) the opportunity to block certain parts of the chip by software setup.
And that's what they did on the Milestone.
Regards,
scholbert
when i said "do we have that"
i meant, do we have a dump of that code that is disassembled and looked into.
by checking here
Code:
droid-developers.org/wiki/Booting_chain
its obvious this has already been done
Hi again,
seems less interest here.... sure this is a very technical thread....
Anyway, see this picture of the mainboard.
https://www.droid-developers.org/images/d/dd/Photo-1.jpg
Seems to be taken from one of the first mass production units, or even a developers phone.
You see there's a FPC connector soldered on the mainboard (underneath the microSD connector).
After doing a little research, it seems that these connectors are used for professional environment:
http://www.hirose.co.jp/cataloge_hp/e58004008.pdf
Part.-No. FH19C-17S-0.5SH
Cheers,
scholbert
I have a dead phone. If someone can provide me with a pinout for the processor, I will be glad to trace out the rest of the jtag header.
Hi eustice!
eustice said:
I have a dead phone. If someone can provide me with a pinout for the processor, I will be glad to trace out the rest of the jtag header.
Click to expand...
Click to collapse
Wow, that 's great, let's crack that nut
I just created a map, bit small though, but i think everything could located...
BTW, on Milestone they seem to have used a OMAP3430 in CBC (S-PBGA-N515) package with POP-memory (see attached datasheet of the package).
Had to digg a little to find that out...
Tell me if you need further information!
Please be careful while removing the CPU, these little pads will easily rip of...
Good luck!!
scholbert
scholbert said:
Hi eustice!
Wow, that 's great, let's crack that nut
I just created a map, bit small though, but i think everything could located...
BTW, on Milestone they seem to have used a OMAP3430 in CBC (S-PBGA-N515) package with POP-memory (see attached datasheet of the package).
Had to digg a little to find that out...
Tell me if you need further information!
Please be careful while removing the CPU, these little pads will easily rip of...
Good luck!!
scholbert
Click to expand...
Click to collapse
Sir, well, I'm not sure if this is of intrest to us but
http://allegro.pl/okazja-jak-nowa-motorola-droid-i1386494285.html
This guys sell's DROIDs for 200 polish zloty, it's cheap. The main problem is that the guy says they were flooded during the transport, he also claims that they were not switched on since then. Are we interested in getting one and disassembling it?
Hey Qintasan,
thanks for the link!
Quintasan said:
This guys sell's DROIDs for 200 polish zloty, it's cheap. The main problem is that the guy says they were flooded during the transport, he also claims that they were not switched on since then. Are we interested in getting one and disassembling it?
Click to expand...
Click to collapse
Indeed the price is nice, but it's your decision, wether to buy one or not.
Personnally i got two working devices and i'm not willing to rip them apart.
By starting this thread i intended to draw some interest about this JTAG stuff and to collect information to gain access on the Milestone.
It is yet unknown, if it will ever work on this platform.
It might also be possible that the JTAG signals are physically connected, but had been disabled by e-fuses on the production units.
..... but if no one ever tries we'll never know.
Best regards,
scholbert
milestone jtag board and connector pic
attached are the pics for the jtag board and the connector on the phone.
Not wanting to open up old threads and discussions about booting the atrix 4g, but i was just browsing the schematics i found on xda, and noticed what looks like a 'trusted boot' jumper. I don't know much about trust technology in these platforms but someone here may know more.
Brief searches show intel's trusted platform technology, I'm not sure the atrix contains something similar.
but if it does, would this jumper - if changed, allow us to boot anything perhaps?
I've attached a photo of the schematic (i found this trying to follow the good old 'FM radio not working' thread as well).
so yeah, thoughts from those more in the guts of trusted platforms?
please feel free to shut this thread down if I'm just total out of the ball park, but if this is a lead, all be it a hardware mod(depending where this jumper is and how easy it is to change its state on the board), it may be a way to unbrick perhaps.
I'm also aware the atrix 4G is getting a little older now, and interest maybe being depleted given other options in the market these days.
thanks
glegge said:
Not wanting to open up old threads and discussions about booting the atrix 4g, but i was just browsing the schematics i found on xda, and noticed what looks like a 'trusted boot' jumper. I don't know much about trust technology in these platforms but someone here may know more.
Brief searches show intel's trusted platform technology, I'm not sure the atrix contains something similar.
but if it does, would this jumper - if changed, allow us to boot anything perhaps?
I've attached a photo of the schematic (i found this trying to follow the good old 'FM radio not working' thread as well).
so yeah, thoughts from those more in the guts of trusted platforms?
please feel free to shut this thread down if I'm just total out of the ball park, but if this is a lead, all be it a hardware mod(depending where this jumper is and how easy it is to change its state on the board), it may be a way to unbrick perhaps.
I'm also aware the atrix 4G is getting a little older now, and interest maybe being depleted given other options in the market these days.
thanks
Click to expand...
Click to collapse
i have a question. why didnt u write this to a trusted dev for atrix?? because its not very useful to write this without 100% knowledge so it would have been the best to write it to a hardware dev that can proof this and test it.
thanks it was meant good, but still write this to a dev that know how to work with this.
Hai_Duong said:
i have a question. why didnt u write this to a trusted dev for atrix?? because its not very useful to write this without 100% knowledge so it would have been the best to write it to a hardware dev that can proof this and test it.
thanks it was meant good, but still write this to a dev that know how to work with this.
Click to expand...
Click to collapse
Understood, I'm all good intentions and thumbs and fingers.
could you suggest a dev to IM this too?
many thanks
glegge said:
Understood, I'm all good intentions and thumbs and fingers.
could you suggest a dev to IM this too?
many thanks
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=2016837
here these guys are the hope for ics kernel just write them if its useful they will reply.
CyboLabs is Proud to present
Open Bump!
What is Open Bump?
Open Bump is a recreation of the closed source Bump project run by Codefire.
It will allow you to "sign" your boot images in the same way that Codefire does it, only you don't need an internet connection.
Click to expand...
Click to collapse
What Open Bump is NOT
lets get the obvious out the way. It won't axe murder you.
It is not a direct reverse engineer of Codefire's implementation. I found the key and iv on my own
The magic bytes were taken from Codefire's method however. If anyone has insight has to how they were found, please shout up.
It does NOT take your private data so you can use it. Tin hatters feel free to double check
Click to expand...
Click to collapse
How did I find this out
I had a general idea of what to look for, having heard that the exploit is related uicc, and is signed with a cipher.
Dropping the aboot image in to Ghex led me to finding a reference to "uiccsecurity". Using the bytes around this, I found a repeat of 32 bytes, which was followed by 16 bytes which formed something that resembled "SecureWallpaper".
As you can probably guess, this was mainly trail and error backed by common sense and logical thinking.
you can programmatically find these values with the python script:
Python:
aboot_name = './aboot.img'
aboot = open(aboot_name, 'rb').read()
key_end = aboot.index('uicc')
key_start = key_end - 32
key = aboot[key_start:key_end]
sec_key_start = aboot.index(key, key_end)
iv_start = sec_key_start + 32
iv_end = iv_start + 16
iv = aboot[iv_start:iv_end]
deciphering some already generated "signatures" proved that these were the key and iv used for "signing" the images.
Click to expand...
Click to collapse
What is coming next?
Inspecting the signatures that were originally uploaded and the ones that people can generate now, I found only one pattern.
The only similarities were the first 16 bytes of each "signature". I believe that only the magic number is needed, and none of the garbage that follows. This has been confirmed by the LG G3 dev from CyanogenMod, Invisiblek Done
Click to expand...
Click to collapse
How to use it?
I don't know how well this will run on anything other than linux, so for now.. I won't talk about it.
First, ensure you are using python2
then run the script
Code:
python2 open_bump.py "/path/to/boot.img"
flash the output, and enjoy
Click to expand...
Click to collapse
Thanks to:
Obviously, this wouldn't have been possible without Codefire since I wouldn't have known where to look, or that it was exploitable. And it was them that found the magic key.
Big thank you to @pulser_g2, who offered invaluable input on cryptography
Big thank you to @invisiblek, who I mercilessly kanged the main part of the image padding script from
note:
The original part of finding this information out was done on my own with guidance from pulser. The final results of this are posted above.
XDA:DevDB Information
Open_Bump, Tool/Utility for the LG G2
Contributors
cybojenix
Source Code: https://github.com/CyboLabs/Open_Bump
Version Information
Status: Beta
Created 2014-11-23
Last Updated 2014-11-23
Thanks, thats great news to have an open source tool here!
Do you see any chance that this could be integrated into CWM/TWRP so that the recovery rom could bump the boot/recovery images before flashing?
Because the boot/recovery.img has to be extracted from the ROM-zip before flashing, bumping it here would make sure that the phone can boot the image even with the newer bootloader.
This would be great for rom-devs since they don't have to change anything and it would even bump roms that are not maintained anymore.
g4rb4g3 said:
Thanks, thats great news to have an open source tool here!
Do you see any chance that this could be integrated into CWM/TWRP so that the recovery rom could bump the boot/recovery images before flashing?
Because the boot/recovery.img has to be extracted from the ROM-zip before flashing, bumping it here would make sure that the phone can boot the image even with the newer bootloader.
This would be great for rom-devs since they don't have to change anything and it would even bump roms that are not maintained anymore.
Click to expand...
Click to collapse
simple answer, this can be added to the build step really easily. See this commit
edit:
of course it may be useful to make a c program to do this.... I shall think on it.
Propably stupid question but i ll give a shot. Since we have the magic key we cant just skip the bump stuff totally? As i can understand, i dont wait official developer team join the bump train, thats why the damn development of the device is really back while the hardware is more than capable.
**To the OP i wish i could give you a thousand likes sir!
After getting the bootloader may be open G3؟؟
Why not use the original Bump?
Quote:
Codefire has been extremely vague about their method, obviously to prevent someone else replicating their results.
They are also storing people's data unnecessarily, and even adding some information relating to the user in to the "signature", possibly for tracking purposes.
As a result of it being an external service, many reputable teams (which won't be named unless they want to be) have said they will not use it, and would rather wait till LG releases the official unlock method.
Finally, Codefire have said the sha1sum of the boot image is required. Whether they knew or not, it is NOT required, and I will be changing this tool to compensate for that.
Click to expand...
Click to collapse
Happy you found a new exploit for us builders and devs, just feel like you kinda disrespected codefire team by accusing them of things before actually talking to them, seems a bit counter productive, this may piss them off and next device you can kiss new exploits by them good-bye,
just my 2 cents on the matter,
i'd remove the line...
in any case thank you very much, i will add it to my build script
---------- Post added at 08:34 PM ---------- Previous post was at 08:29 PM ----------
nikosblade said:
Propably stupid question but i ll give a shot. Since we have the magic key we cant just skip the bump stuff totally? As i can understand, i dont wait official developer team join the bump train, thats why the damn development of the device is really back while the hardware is more than capable.
**To the OP i wish i could give you a thousand likes sir!
Click to expand...
Click to collapse
"Bump stuff" has nothing to do with users, the devs and builders do the "bumping", and development of the G series has nothing to do with bumping, it just takes time to bring everything up
Good job cybojenix. (moderator edit: watch your language please)
Way to ruin a good thing.
I'm done with Android now. You can do it all now - since you obviously know better than me and everyone else.
I don't appreciate people trying to blackmail me - EnderBlue and Cybo both.
Don't believe me? http://hastebin.com/gulumezawi.txt
Good job guys. Way to ruin unlocks for all future LG phones.
If I *EVER* decide to come back, I will not be releasing anything as free or open source. You've sullied my impression of the open source community. Anything I do will be private releases from now on.
LG hadn't patched Bump, and they were going to leave it alone for us as long as we kept it as a service.
Well, looks like that's over and done with.
Bump included a hash of the image that you uploaded and a hash of your developer ID, and some random junk bytes. That's all. It's exactly what we said it was doing.
Well, hey, now you're free to take over and write roots and unlocks for all LG phones since you obviously have the talent to do so.
Let's be honest though, without my team's hard work that you stole, you wouldn't have been able to do any of this.
But you knew that, you're just a bottom feeder.
I don't get angry often at all- but congrats! You've succeeded in making me mad! Achievement unlocked!
I'm done. Your turn.
EDIT: Also, you know you can't open source your project either considering it contains 'stolen' LG crypto keys. https://github.com/CyboLabs/Open_Bump/issues/1
Have fun with that one.
thecubed said:
Good job cybojenix. (moderator edit: watch your language please)
Way to ruin a good thing.
I'm done with Android now. You can do it all now - since you obviously know better than me and everyone else.
I don't appreciate people trying to blackmail me - EnderBlue and Cybo both.
Don't believe me? http://hastebin.com/gulumezawi.txt
Good job guys. Way to ruin unlocks for all future LG phones.
If I *EVER* decide to come back, I will not be releasing anything as free or open source. You've sullied my impression of the open source community. Anything I do will be private releases from now on.
LG hadn't patched Bump, and they were going to leave it alone for us as long as we kept it as a service.
Well, looks like that's over and done with.
Bump included a hash of the image that you uploaded and a hash of your developer ID, and some random junk bytes. That's all. It's exactly what we said it was doing.
Well, hey, now you're free to take over and write roots and unlocks for all LG phones since you obviously have the talent to do so.
Let's be honest though, without my team's hard work that you stole, you wouldn't have been able to do any of this.
But you knew that, you're just a bottom feeder.
I don't get angry often at all- but congrats! You've succeeded in making me mad! Achievement unlocked!
I'm done. Your turn.
EDIT: Also, you know you can't open source your project either considering it contains 'stolen' LG crypto keys. https://github.com/CyboLabs/Open_Bump/issues/1
Have fun with that one.
Click to expand...
Click to collapse
First off, I didn't black mail. I gave your team notice about open sourcing it after reverse engineering the LG bootloader, not your "signatures".
It's your choice if you want to leave Android. Pinning the blame on me is somewhat childish though.
LG not patching Bump? That's a ludicrous statement, and even if it's true, it's good that this script got released. That way they know it should be patched, since having it a service clearly makes all the difference to them.
The hardest part of your teams work was getting the keys. If you know where to look, then it's easy enough to get engineering builds which I suspect contain the master magic bytes which you released.
I'm honestly shocked at your reaction though. I gave your team all the credit and stated which parts I did myself. The part about the service, and the deception was justified.
You tried to obscure something which by logic can't be obscured. That's how so many people realised they can just append the bytes to the image.
So which one would you rather have, LG not patching the exploit (as you so claim), and having an unknown number of people in china running around flashing custom boot images, or have everyone know how to do it to force LG to recheck their security measures.
What I did may not have been fantastic for the community, but what you did was insanely dangerous for the 90% of LG users.
All you did was make it so LG locks down the bootloader. And really 90% of users??? There probably isn't even 3 percent of the LG base on this website. All you did was screw everybody else over so you could have YOUR OFFICIAL CM.
As well people saying you didn't do enough and are still using there signing key as well as attacking it as well.
Way to think about yourself. You didn't care about the 90% or you wouldn't have done this.
I personally hope LG locks down the bootloader now. Go the way Samsung did and put an efuse on it and prevent downgrading. Hopefully all this happens with lollipop so you can screw over the rest of the LG crowd.
cybojenix said:
it's good that this script got released. That way they know it should be patched, since having it a service clearly makes all the difference to them.
Click to expand...
Click to collapse
"Hey let's potentially close all future LG unlocks and thus the chance to use CyanogenMod on future LG devices then. Just so I can get the current CM builds to say 'Official' and get a big pat on the back from the CM dudes who probably don't care about me too much."
Is that what went through your mind? That instant gratification and ignorance really shows who you are because that's exactly what I see from this OP of yours. Enjoy your 15 minutes of fame. You probably just killed a chance for years of it.
savoca said:
"Hey let's potentially close all future LG unlocks and thus the chance to use CyanogenMod on future LG devices then. Just so I can get the current CM builds to say 'Official' and get a big pat on the back from the CM dudes who probably don't care about me too much."
Is that what went through your mind? That instant gratification and ignorance really shows who you are because that's exactly what I see from this OP of yours. Enjoy your 15 minutes of fame. You probably just killed a chance for years of it.
Click to expand...
Click to collapse
Yes, because I've been such a massive supporter of cm. (sarcasm in case you didn't realise).
I started reverse engineering the bootloader for research purposes. If it was more complex than what I have said above, then I probably wouldn't have done this thread.
If it weren't for the fact that the magic stays the same across all signatures, then I also wouldn't have done this thread.
The response I got from them when I contacted them before releasing this was pretty much one of lack of care. So I went ahead and posted it.
I couldn't care less about fame. In fact there isn't really a lot I do care about, but I won't have the community alienated in to thinking the codefire service was such a great thing.
And once again, I refuse to take the blame for their team leaving Android.
whoppe862005 said:
All you did was make it so LG locks down the bootloader. And really 90% of users??? There probably isn't even 3 percent of the LG base on this website. All you did was screw everybody else over so you could have YOUR OFFICIAL CM.
As well people saying you didn't do enough and are still using there signing key as well as attacking it as well.
Way to think about yourself. You didn't care about the 90% or you wouldn't have done this.
I personally hope LG locks down the bootloader now. Go the way Samsung did and put an efuse on it and prevent downgrading. Hopefully all this happens with lollipop so you can screw over the rest of the LG crowd.
Click to expand...
Click to collapse
See my other post, I don't care about cm.
Fair enough, 3% are here, so this benefits the security of 97% of lg uses, if the claim that lg was alright with it running s a service is true.
Either way, I did nothing wrong
cybojenix said:
I couldn't care less about fame. In fact there isn't really a lot I do care about, but I won't have the community alienated in to thinking the codefire service was such a great thing.
Click to expand...
Click to collapse
So you only care about ruining good things, and other people's work?
Lol sorry I think I'm done with you. By cybo
savoca said:
So you only care about ruining good things, and other people's work?
Lol sorry I think I'm done with you. By cybo
Click to expand...
Click to collapse
Tbh I thought it would have been clear by now what I care about. Then again I may have been wrong about considering you one of the smart android people.
I care about learning and sharing knowledge. Which is precisely what this thread did.
cybojenix said:
See my other post, I don't care about cm.
Fair enough, 3% are here, so this benefits the security of 97% of lg uses, if the claim that lg was alright with it running s a service is true.
Either way, I did nothing wrong
Click to expand...
Click to collapse
I saw your PM to autoprime in IRC, it was "I am going to post what I found or you do, either way its going there", it wasn't lack of care, it was that you just stated a fact and left, it was a very rude unthoughtful thing to do, also don't try to BS everyone with your research, you and about 100 other people found the "magic keys", the problem is those "magic keys" were placed there by team codefire, you didn't find them, you found that they were using the key and copied their work, anything else you say is a lie, at least the other 99 people who found this had the basic respect to not post it unless the original team allowed it.
There was no reason to post this, their site was working fine, and if you used the API there was no problem of tracking since it just uses a UID to identify to the server.
at least admit you were wrong and say you are sorry, they won't fix anything but will gain you a minimum amount of respect
sooti said:
I saw your PM to autoprime in IRC, it was "I am going to post what I found or you do, either way its going there", it wasn't lack of care, it was that you just stated a fact and left, it was a very rude unthoughtful thing to do, also don't try to BS everyone with your research, you and about 100 other people found the "magic keys", the problem is those "magic keys" were placed there by team codefire, you didn't find them, you found that they were using the key and copied their work, anything else you say is a lie, at least the other 99 people who found this had the basic respect to not post it unless the original team allowed it.
There was no reason to post this, their site was working fine, and if you used the API there was no problem of tracking since it just uses a UID to identify to the server.
at least admit you were wrong and say you are sorry, they won't fix anything but will gain you a minimum amount of respect
Click to expand...
Click to collapse
Wrong, I stated that I was going to open source it, meaning the work of put in to getting the key and how it's used to get the original magic.
It was after that that I realised the final magic is the only thing needed. I actually worked out how to get the magic key a few hours ago, but since I don't have the right images, it won't be globally usable.
Fair enough, I apologise for pointing out the flaws in codefires service, and that they took it badly.
cybojenix said:
See my other post, I don't care about cm.
Fair enough, 3% are here, so this benefits the security of 97% of lg uses, if the claim that lg was alright with it running s a service is true.
Either way, I did nothing wrong
Click to expand...
Click to collapse
OK. If you did nothing wrong please do explain this
Enderblue-"well, would you be willing to open source it so we can have a official cm support?"
IoMonster-"so it would make storm already worse then what it is now? *paraphrasing for language
IoMonster-"no"
Seems like be said he didn't want it open source but you still went ahead any way.
http://hastebin.com/gulumezawi.txt
And then you saying your going to push it for vs985 even after he said no.
I don't know who Enderblue is, and I'm not affiliated with him..
whoppe862005 said:
OK. If you did nothing wrong please do explain this
Enderblue-"well, would you be willing to open source it so we can have a official cm support?"
IoMonster-"so it would make storm already worse then what it is now? *paraphrasing for language
IoMonster-"no"
Seems like be said he didn't want it open source but you still went ahead any way.
http://hastebin.com/gulumezawi.txt
And then you saying your going to push it for vs985 even after he said no.
Click to expand...
Click to collapse
cybojenix said:
I don't know who Enderblue is, and I'm not affiliated with him..
Click to expand...
Click to collapse
It isn't like it matters if you are or not. It says right in the chat he doesn't want it open sourced. I'm sure about 99% of the people on here have seen that already and I'm pretty sure you have seen it as well.
It states right in the chat he didn't want it open sourced.
whoppe862005 said:
It isn't like it matters if you are or not. It says right in the chat he doesn't want it open sourced. I'm sure about 99% of the people on here have seen that already and I'm pretty sure you have seen it as well.
It states right in the chat he didn't want it open sourced.
Click to expand...
Click to collapse
but the chat wasn't with me, so your point is null
autoprime had ample opportunity to say "don't do it yet", or "go talk to IO". but no, no objections were made.
Codefire treated the service like any other company would treat their unlocking service, so I treated them like a company and showed how it was done.