Is there any way to find the Device ID on my Diamond? Any program to retrieve, any file where it's contained?
Go to Settings folder under System.....and look at Device Info.
If you are looking for what version your Diamond is (i.e. Diam 100) then its behind your battery and can also be found in bootloader screen.
Dear developer, I want to use my new Nexus One for my mechatronics project.
To do so, I must know how to use the serial communication in Android.
Can somebody show me a sample code sending the ASCII "a" through USB?
thx
Hi fellas,
i must admit that i'm really impressed by the energy that has been put into the BOINC project, to hunt for the Motorola private certs to crack the RSA key inside OMAP3430.
From the M-shield white paper:
Code:
...
For example, secure on-chip keys (E-Fuse) are OEM-specific, one-time-programmable
keys accessible only from inside the secure environment for authentication and encryption.
...
More specific information here:
https://www.droid-developers.org/wiki/EFuse
What would happen, if we slip into the role of the OEM's?
To be more precisely what happens, if...
a) we disable VFUSE power domain (VPP rated @ 2.4V/50mA, connected to APE_VPP and DBB_VPP)?
b) we use eFuse programming algorithm in mbmloader to blow additional eFuse and enter engineering mode?
(what is the hash for engineering mode?)
c) we use read routines within mbmloader to read eFuse values?
d) we blow all remaining efuse for the 160-bit hash in the user programmable area (factory default on milestone = 1d3fb662 794d8c70 fb57b4cb 492e27f6 6f152e4f)?
(result would be a OEM value of 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF)
Perhaps we'll never know...
Here's what i think:
a) Barely no effect, apart from preventing mbmloader to blow another e-fuse.
b) Maybe the whole mbmloader code could only be accessed from within security domain, not sure if a debugger would work here.
c) Same as above. There had to be a proof of concept that mbmloader routines could be executed.
d) See b) and c). We need the correct offset, of course.
Any comments welcome.
IMHO there might be a better chance to crack the security on Milestone, if the interest would be focussed on mbmloader disassembly and further investigation on JTAG access for debugging the platform more intensely.
If you're a technical geek, you might have a look over here:
http://forum.xda-developers.com/showthread.php?t=849632
Experts are very welcome!!!!
P.S.: If nothing will ever work out, there's something slightly off-topic we might think about ...
Someone should contact Mototola to follow a new marketing strategy... called: ICS (Individual Customer Support).
Customers could upload their custom kernels to Motorola and get them signed by beautiful private key!
We could also push our kernel source to Motorola and as a side effect they would fix bugs and finish firmware updates much earlier .
TBC...
EDIT: Corrected some parts...
Cheers,
scholbert
Always nice to read your posts But there is one error I think:
scholbert said:
...to crack the 128-bit RSA key inside OMAP3430...
Click to expand...
Click to collapse
I think it is a 1024Bit key or am I wrong?
TheSSJ said:
Always nice to read your posts
Click to expand...
Click to collapse
Thanks for your reply!
TheSSJ said:
But there is one error I think:
I think it is a 1024Bit key or am I wrong?
Click to expand...
Click to collapse
Not 100% sure about all this.
In fact i must admit that i'm not a cryptographic expert, but after reading all these hardware manuals and references, this is what i understand:
The hash key stored in the eFuse farm seems to be 160 Bit SHA-1 and uses 1024Bit certification.
Seems that this basically is used to verify mbmloader security.
Maybe this is bull****, so who ever got some more details please join discussion!
I really like to know at which offset the key is stored
Regards,
scholbert
So if I get this right, you want to disassemble a Milestone and mess with the circuit?
djefkbefke said:
So if I get this right, you want to disassemble a Milestone and mess with the circuit?
Click to expand...
Click to collapse
Yeah correct, first this would be hardware stuff to get JTAG to work.
It's not strictly me reaching this, in fact this addresses to a community!
See my JTAG post, there's anything you need to trace the signals
So if you got a broken device go for it!
Afterwards some cracks might use a JTAG debugger (e.g. OpenOCD) to fiddle with the bootcode: Set breakpoints, trace conditional branches, even tweak some lines of code.
The hope is that something will open another door to get access to certain memory areas, especially eFuse location would be interesting
Regards,
scholbert
There was someone on here a month or so ago that had a device without a working radio. There are probably others like him. If we manged to get someone willing to donate their non-working device, would you be willing to try your jtag on it. I don't have a jtag at this time, and although i wouldn't mind getting 'hold of one, it probably wont happen for a while.
http://forum.xda-developers.com/showthread.php?t=849632
Hey,
just stumbled over these lines in one of the Ti documents:
...
The device type is readable from an eFuse by the CONTROL.CONTROL_STATUS[10:8] DEVICETYPE
field. During booting, the ROM code checks the DEVICETYPE field to determine in which mode to
operate.
· The HS device is a production device with all security features enabled. The ROM code requires the
authentication of the Initial SW before execution. A failed authentication causes a watch-dog reset.
Authentication of code in external flash memory or code that is downloaded is handled by routines in
the secure ROM (a part of the ROM code).
· The GP device is a production device in which security is disabled. Authentication is not performed
before initial SW execution.
...
Click to expand...
Click to collapse
Just wanted to add it here for completeness
There's also some progress to understand the bootloader implementations of security functions, pushed by xvilka!
For the geeks, see here:
https://www.droid-developers.org/wiki/Security
Regards,
scholbert
additional info....
Hi,
i gathered some more information about how things work out:
- SHA1 sum of the first (root) key in the CertPK is stored in eFuse array inside SoC, accessible through PKEY 0..4 registers
- the value for the SHA1 sum has a length of 160 bits
- theoretically eFuse bits that are now zero could be blown by using Secure Service, to modify hash value
- Milestone: 1d3fb662 794d8c70 fb57b4cb 492e27f6 6f152e4f
Droid: 75ed7020 641333dd 7bc3aecb 9857683c 2422efe1
- BootRom loads root key in SecureRAM and uses Secure Service, from secure part of BootROM to verify integrity/signature
This secure part of BootRom is not accessible from non secure world.
- All main keys are stored in CertPK/SecureRAM
- In theory we could break the chain of trust with:
a) find rsa keypair where the public key's sha1sum matches the existing SHA1 sum in PKEY 0..4 registers (hash_collision)
b) modify the efuse setup with Secure Service function and alter PKEY 0..4 registers to match a given key pair (this might be a very complicated issue)
Please correct me if i'm wrong
PS: Just realized that this is my 666th post, so this is dedicated to the devil
Regards,
scholbert
The devil thanks you.
Hello mates I have collected few secret codes for our HD7,I am going to share with u
so far I have collected few secret codes on this HD 7 like Field Test and some other unknown secret codes. But the Only Confirmed Secret Code is the Field Test Secret Code.
Field Test Code: ##3282#
Other Secret Codes for HTC HD 7 (Try them at your own risk)
*#61# And *#62# and *#67# are all related to call forwarding, if u replace *# with ## u will receive a succeeded message. *#76# and *#77# disables service. Not sure what service. *#21# disables all forwarding capabilities. *#30# service enabled. *#31# and *#33# *#35# service disabled. *#43# service enabled for voice *#331# and *#332# and *#351#service disabled
I am not responspible for any damage to ur device.
Enjoy
Anyone tried ?
yes i'm tryed but i don't understand anyting
thanx anyway...
sachin kundu said:
Hello mates I have collected few secret codes for our HD7,I am going to share with u
so far I have collected few secret codes on this HD 7 like Field Test and some other unknown secret codes. But the Only Confirmed Secret Code is the Field Test Secret Code.
Field Test Code: ##3282#
Other Secret Codes for HTC HD 7 (Try them at your own risk)
*#61# And *#62# and *#67# are all related to call forwarding, if u replace *# with ## u will receive a succeeded message. *#76# and *#77# disables service. Not sure what service. *#21# disables all forwarding capabilities. *#30# service enabled. *#31# and *#33# *#35# service disabled. *#43# service enabled for voice *#331# and *#332# and *#351#service disabled
I am not responspible for any damage to ur device.
Enjoy
Click to expand...
Click to collapse
These are not secret codes for HD7, but only the standard GSM commands/codes always used on any GSM/UMTS terminal.
Look at this links for infos:
GSM Features That Aren't Widely Known
GSM codes to note
GSM Feature Codes
secret codes for HD7
##3282# – Field Test Code
*#06# = Show IMEI
Good day people
I know the one code for the service menu but am sure there is another code besides the *#*#7378423#*#* one!
Does anyone know the code or have a list of all the cods for the device?
Thanks
*#*#4636#*#* – Phone Information (allows you to change the SMS service centre number and more)
*2767*3855# – Factory Reset Phone
*#*#34971539#*#* – Shows completes information about the camera
*#*#7594#*#* – Changing the power button behavior – Enables direct power off
once the code enabled
*#*#273283*255*663282*#*#* – For a quick backup to all your media files
*#*#197328640#*#* – Enabling test mode for service activity
*#*#232339#*#* or *#*#526#*#* or *#*#528#*#* – Wireless LAN Tests
*#*#232338#*#* – Displays Wi-Fi Mac-address
*#*#1472365#*#* – For a quick GPS test
*#*#1575#*#* – A Different type GPS test
*#*#0283#*#* – Packet Loopback test
*#*#0*#*#* – LCD display test
*#*#0673#*#* or *#*#0289#*#* – Audio test
*#*#0842#*#* – Vibration and Backlight test
*#*#2663#*#* – Displays touch-screen version
*#*#2664#*#* – Touch-Screen test
*#*#0588#*#* – Proximity sensor test
*#*#3264#*#* – Ram version
*#*#232331#*#* – Bluetooth test
*#*#7262626#*#* – Field test
*#*#232337#*#* – Displays bluetooth device address
*#*#8255#*#* – For Google Talk service monitoring
*#*#4986*2650468#*#* – PDA, Phone, Hardware, RF Call Date firmware info
*#*#1234#*#* – PDA and Phone firmware info
*#*#1111#*#* – FTA Software version
*#*#2222#*#* – FTA Hardware verion
*#*#44336#*#* – Displays Build time and change list number
*#06# – Displays IMEI number
*#*#8351#*#* – Enables voice dialing logging mode
*#*#8350#*#* – Disables voice dialing logging mode
**05***# – Execute from Emergency dial screen to unlock PUK code
Source
Not all of them might be compatible with Xperia devices, they are all generic Android codes.
the last PUK code one
hey there hat **05***# doesn't work for me, when i enter all of that like **05*80063169*0000*0000#, this is what i typed in the emergency dialler and then it says.. "connection problem or invalid mmi code"
Well while entering puk code i don't get any tower (or should i? i don't know)
and swapping phones doesn't works as the sim is not detected by any other phone other than mine, please tell me how to overcome this problem
Hi every body. First none of those code work with my z except *#*#7378423#*#* and second when I make a call with my phone the lcd won't get dark. Please help me what to do. Thanks.
Please add *#*#4636#*#* to the list. Is a different test and information menu. Also there you can change the sms center number (this was my issue, since i am on a vodafone locked phone and changed the type of contract and had to change the sms center number also, but the number was grayed out in the phone`s settings).
DrKrFfXx said:
*#*#4636#*#* – Phone Information (allows you to change the SMS service centre number and more)
Not all of them might be compatible with Xperia devices, they are all generic Android codes.
Click to expand...
Click to collapse
Yet another useless "Samsung == Android" post.
4636 is pretty much the only generic Android code in there. Nearly all the rest are Samsung specific codes (except 06 which is a GSM code)