Just wondering if anyone has made or would make a sort of tutorial about howto upgrade rom, make new rom, customize rom etc. preferable with pictures'n'stuff
Excellent idea jpless.
Does anyone with some experience can do that?
I have a new HTC P3600 Black, at 2 days
I'd like that too, the problem is that there's too much info about this on the forum, some of that info is outdated, valid only for a specific device, and sometimes valid for a couple of devices but posted on a specific device forum( hermes ).
Since we would really like to do this but fear bricking our devices, I think it would help if a known, trustworthy and experienced member had the time and will to start the creation of a centralized source of info about this topic, like one big wiki page divided by main steps and device-specific tools/methods which would later be improved by other users( wiki ).
Who knows, maybe there's someone who just needs a nudge to create something useful to the community.
I really hope someone will do, cause I wanna learn it the easy way
Btw what is this ROM Kitchen thing I keep reading about?
Let me first say that I am a software developer by day & night but limit my realm to applications and never anything hardware related. Having recently purchased a Kaiser I was bother that HTC was not doing what it could to make the device realize its full potential.
That said, I have become interested in trying to create hw d3d drivers (not patch ones from other devices) myself. Has anyone been able to obtain or map out any technical details of how to interface with the system on MSM7200 chip? Has there been any sort of exploratory project to detail the memory addresses, interrupts, as what not (remember, just a software guy)?
My last question to everyone is, has anyone tried contacting Qualcomm or ATI/AMD? Maybe one or both might be interested in providing reference drivers or sharing some of the details with the community. Maybe we could harrass, um...let our voices be heard... and convince them to start an open source project.
If you want to know what is in a Kaiser roll, you can either figure it out yourself or you can go ask the chef.
From what I understand, we will get no help from HTC regarding the hardware video acceleration.
The reason is (and these are my speculations) that when the Kaiser was on the drawing board, HTC was asked whether they want to pay for permission to use the hardware video acceleration of the MSM7200 chip.
HTC responded that they don't want it . At the time, HTC believed that the Kaiser will be competitive enough even without hardware video acceleration, and hence saw no reason to pay the needed money to get the permission (a decision that proved to be correct, at least financially).
If HTC today will help someone to develop such hardware acceleration drivers for the Kaiser (or do it themeselves), they will get a lawsuit so big, that the entire company could go out of business.
Here is your best source of information on that issue. Good luck. That's all I could do for you.
http://forum.xda-developers.com/showthread.php?t=339745
Hi,
i've been following the progress on Milestone hacking quite a while now.
Some days ago i started intensive research on the Milestone hardware myself
So here's the some interesting discovery.
Thanks goes out to XVilka for putting this down on the wiki so fast
Of course this is just the starting point for a new hunting....
As you might see many signals are not identified yet.
Essential:
TDO
TDI
TMS
TCK
RTCK
Possible:
EMU0
EMU1
Optional:
DEBUG_UART_RX
Someone needs unsolder the CPU and trace these signals on the mainboard.
So if you got a broken mainboard it would be welcome for scientific examination
This of course would not give us an open bootloader, but might open the door for some promising attempts to debug the platform more intensely.
UPDATE:
All signals had been identified. Unfortunately JTAG access to ARM core and other units is blocked.
EDIT:
O.k. now that xvilka had put my detailed pics in the droid-developers wiki, no need to hide it anymore
Find my updated pics attached.
In fact JTAG access is blocked by the security mechanism on the Milestone.
So all that is accessible is the main TAP controller... everything else is blocked.
No access to the ARM core... nothing except ID could be retrieved.
Have a look at my resignation post here:
http://forum.xda-developers.com/showpost.php?p=11759352&postcount=54
Anyway the journey was a fun thing and i learned a lot of the ARM core internals including TAP units inside OMAP
The craziest thing was, to realize that all this incredible security stuff really depends on one hard-coded bit... called the "HS-Bit".
If you need more infos tell me!!
Cheers,
scholbert
Software tool
We might use the famous OpenOCD for debugging, once we got the full pinout.
Look here for further details about it:
http://elinux.org/BeagleBoardOpenOCD
Have fun!
scholbert
This looks very much fun, but how is this going to benefit an end user?
^^ How does "unlocked bootloader" sound to you
Well said and nice to see some reaction here also.
Sure that's fun... at least for me... and it's to widen your knowledge
I've joined this forum some time ago and it is still called xda-developers.
Maybe i'm little old-fashioned but that's what is still driving me... development
By initiating this thread i was aware there's no benefit for the end user right now,
but the more people stumble over here, the more there's a chance to find some other enthusiasts following this path.
I'm aware that the magic parts are missing.
We need someone willing to do wicked stuff and equipped with professional equipment to unsolder parts from the mainboard.
Once to the remaining signals could be traced, there's a lot play with.
Unlike other devices the core elements of the hardware residing in the Milestone are pretty well documented and lot of software tools exist.
I'm pretty sure there's a way to find a nicer backdoor on this locked down device.
The market is fast though and maybe some day there'll be a device you could use to fly with... even as an end user
Anyway, would be nice to talk about.
Best regards,
scholbert
if thats true, then that'd be great. but the guy says "This of course would not give us an open bootloader" in his first post.
good luck scholbert!!
AbdouRetro said:
if thats true, then that'd be great. but the guy says "This of course would not give us an open bootloader" in his first post.
Click to expand...
Click to collapse
Yes, having a working JTAG is not going to open the bootloader. But will give something very important - access to the CPU and flash without having any working code - read "bootloader development".
Sent from my Milestone using Tapatalk
scholbert, if u have flash access then u can write to some very privileged areas, does that mean u can make the processor boot into general purpose mode?
AbdouRetro said:
scholbert, if u have flash access then u can write to some very privileged areas, does that mean u can make the processor boot into general purpose mode?
Click to expand...
Click to collapse
Privileged areas is a nice word
....but yes, if it's in NAND you may access it easily using JTAG.
AFAIK the HS mode is hard coded into OMAP3430, so booting into GP mode will never happen i guess.
EDIT:
Just had a short glimpse at the OMAP3430 TRM, there's the register CONTROL_PRODUCTION_ID @ 0x4830_A210 to check for GP mode (ID = 0xF0).
On milestone this ID is obviously different and it is hardcoded with efuse.
The ROM bootloader checks this register and could not be rewritten because it's OTP.
Regards,
scholbert
scholbert said:
Privileged areas is a nice word
....but yes, if it's in NAND you may access it easily using JTAG.
AFAIK the HS mode is hard coded into OMAP3430, so booting into GP mode will never happen i guess.
EDIT:
Just had a short glimpse at the OMAP3430 TRM, there's the register CONTROL_PRODUCTION_ID @ 0x4830_A210 to check for GP mode (ID = 0xF0).
On milestone this ID is obviously different and i guess it's hardcoded.
The ROM bootloader checks this register and could not be rewritten because it's OTP.
Regards,
scholbert
Click to expand...
Click to collapse
Sir, I was wondering if a bricked device would be okay for this (by bricked I mean someone [not me of course ] flashed some ****ty firmware and it doesn't boot now), if it is so then I think I visit a few shops and ask around in the "black" market for a bricked device.
I don't think motorola has the capacity to manufacture things so different for the milestone and droid. its enough cost that they use different radios!!
I'm hoping its an external chip/trace that controls which mode it boots.
in the chip block diagram on the site, there's an internal boot rom, do we have that??
reminds me of the xbox360...
Quintasan said:
Sir, I was wondering if a bricked device would be okay for this (by bricked I mean someone [not me of course ] flashed some ****ty firmware and it doesn't boot now), if it is so then I think I visit a few shops and ask around in the "black" market for a bricked device.
Click to expand...
Click to collapse
Sure a bricked device would do, even a partly physical damaged device will do. As i said before the CPU needs to be unsoldered to trace some signals.
EDIT: Just a remark, because you talk about "black" market.... please don't buy any stolen phones or something.
AbdouRetro said:
I don't think motorola has the capacity to manufacture things so different for the milestone and droid. its enough cost that they use different radios!!
I'm hoping its an external chip/trace that controls which mode it boots.
in the chip block diagram on the site, there's an internal boot rom, do we have that??
Click to expand...
Click to collapse
Of course there's a boot ROM, all modern OMAP got this OTP memory implemented.
Have a look at:
https://www.droid-developers.org/wiki/Main_Page
You'll find very interesting and useful information....
Concerning capacities...
Sure they have and obviously Motorola is one of the big customers of Ti.
Apart form the device ID there are also different boot ROMs for different platforms.
This is simply called customizing
TI does it, Qualcomm does it, whoever builds ARM SoC's may do it.
Also Ti's eFuse technology gives the customer (e.g. Motorola) the opportunity to block certain parts of the chip by software setup.
And that's what they did on the Milestone.
Regards,
scholbert
when i said "do we have that"
i meant, do we have a dump of that code that is disassembled and looked into.
by checking here
Code:
droid-developers.org/wiki/Booting_chain
its obvious this has already been done
Hi again,
seems less interest here.... sure this is a very technical thread....
Anyway, see this picture of the mainboard.
https://www.droid-developers.org/images/d/dd/Photo-1.jpg
Seems to be taken from one of the first mass production units, or even a developers phone.
You see there's a FPC connector soldered on the mainboard (underneath the microSD connector).
After doing a little research, it seems that these connectors are used for professional environment:
http://www.hirose.co.jp/cataloge_hp/e58004008.pdf
Part.-No. FH19C-17S-0.5SH
Cheers,
scholbert
I have a dead phone. If someone can provide me with a pinout for the processor, I will be glad to trace out the rest of the jtag header.
Hi eustice!
eustice said:
I have a dead phone. If someone can provide me with a pinout for the processor, I will be glad to trace out the rest of the jtag header.
Click to expand...
Click to collapse
Wow, that 's great, let's crack that nut
I just created a map, bit small though, but i think everything could located...
BTW, on Milestone they seem to have used a OMAP3430 in CBC (S-PBGA-N515) package with POP-memory (see attached datasheet of the package).
Had to digg a little to find that out...
Tell me if you need further information!
Please be careful while removing the CPU, these little pads will easily rip of...
Good luck!!
scholbert
scholbert said:
Hi eustice!
Wow, that 's great, let's crack that nut
I just created a map, bit small though, but i think everything could located...
BTW, on Milestone they seem to have used a OMAP3430 in CBC (S-PBGA-N515) package with POP-memory (see attached datasheet of the package).
Had to digg a little to find that out...
Tell me if you need further information!
Please be careful while removing the CPU, these little pads will easily rip of...
Good luck!!
scholbert
Click to expand...
Click to collapse
Sir, well, I'm not sure if this is of intrest to us but
http://allegro.pl/okazja-jak-nowa-motorola-droid-i1386494285.html
This guys sell's DROIDs for 200 polish zloty, it's cheap. The main problem is that the guy says they were flooded during the transport, he also claims that they were not switched on since then. Are we interested in getting one and disassembling it?
Hey Qintasan,
thanks for the link!
Quintasan said:
This guys sell's DROIDs for 200 polish zloty, it's cheap. The main problem is that the guy says they were flooded during the transport, he also claims that they were not switched on since then. Are we interested in getting one and disassembling it?
Click to expand...
Click to collapse
Indeed the price is nice, but it's your decision, wether to buy one or not.
Personnally i got two working devices and i'm not willing to rip them apart.
By starting this thread i intended to draw some interest about this JTAG stuff and to collect information to gain access on the Milestone.
It is yet unknown, if it will ever work on this platform.
It might also be possible that the JTAG signals are physically connected, but had been disabled by e-fuses on the production units.
..... but if no one ever tries we'll never know.
Best regards,
scholbert
milestone jtag board and connector pic
attached are the pics for the jtag board and the connector on the phone.
Hello,
I'm new here and I've never done something like flashing a CustomROM.
I have a LG P970 with cracked screen and malfunctioning power button and USB port (they share the same connector which I [kind of] fixed).
My phone is currently running CynagenMod (one of the stable ones I think) but I don't know much more. (I didn't do anything to it, I got it like this)
I am looking forward to play with my phone while I wait for the OPO to be widely released.
My main idea was to put KitKat on it because I heard of the RAM optimization and so on, but I'm not sure if an inexperienced user like me should go that far, should I?
nonlosoproprio said:
Hello,
I'm new here and I've never done something like flashing a CustomROM.
I have a LG P970 with cracked screen and malfunctioning power button and USB port (they share the same connector which I [kind of] fixed).
My phone is currently running CynagenMod (one of the stable ones I think) but I don't know much more. (I didn't do anything to it, I got it like this)
I am looking forward to play with my phone while I wait for the OPO to be widely released.
My main idea was to put KitKat on it because I heard of the RAM optimization and so on, but I'm not sure if an inexperienced user like me should go that far, should I?
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=1111771
http://forum.xda-developers.com/showthread.php?t=1487105
Read through the above links thoroughly. Then come back and ask questions. These are both awesome resources to new users, and many users have asked many of the exact same questions you'd like to ask.
You need to develop a general understanding of both the Android operating system and the methodology and tools used by "hackers" to enhance their phones. Once you get this knowledge, questions are more direct and specific.
androcraze said:
http://forum.xda-developers.com/showthread.php?t=1111771
http://forum.xda-developers.com/showthread.php?t=1487105
Read through the above links thoroughly. Then come back and ask questions. These are both awesome resources to new users, and many users have asked many of the exact same questions you'd like to ask.
You need to develop a general understanding of both the Android operating system and the methodology and tools used by "hackers" to enhance their phones. Once you get this knowledge, questions are more direct and specific.
Click to expand...
Click to collapse
That's an amazing help!
It's going to take a while but I'm downloading my first customROM, hopefully I'll soon understand better the process and feel confident enough about it.
There is so much stuff to read!
Thank you!
Hi all,
i am new in this forum, but i know it a long time. i hope i will find here some peole interested in PROTECTING DIGITAL KNOW HOW. I am working on code, that can protect code from riping, modifying, decompiling. Also my code will protect against game cloning.
So, yes, will look more deep into section of this this forum and try to find some maybe developers of games and apps who need to avoid hacking (cracking) of their games/apps. I am developing a protection for ANDROID devices - its based on Virtual Machine, maybe you know VMPR0TECT from windows platform, and i am coding something similar for ANDROID. Maybe in the near future also for iOS (apple devices).
If some could help me with pointing me to the right people, that would be great, thank you.
KNOW_HOW_PROTECTION said:
Hi all,
i am new in this forum, but i know it a long time. i hope i will find here some peole interested in PROTECTING DIGITAL KNOW HOW. I am working on code, that can protect code from riping, modifying, decompiling. Also my code will protect against game cloning.
So, yes, will look more deep into section of this this forum and try to find some maybe developers of games and apps who need to avoid hacking (cracking) of their games/apps. I am developing a protection for ANDROID devices - its based on Virtual Machine, maybe you know VMPR0TECT from windows platform, and i am coding something similar for ANDROID. Maybe in the near future also for iOS (apple devices).
If some could help me with pointing me to the right people, that would be great, thank you.
Click to expand...
Click to collapse
Welcome.to XDA,
This forums are full of knowledge, just read and search and you will find your way.