Hi,
i've been following the progress on Milestone hacking quite a while now.
Some days ago i started intensive research on the Milestone hardware myself
So here's the some interesting discovery.
Thanks goes out to XVilka for putting this down on the wiki so fast
Of course this is just the starting point for a new hunting....
As you might see many signals are not identified yet.
Essential:
TDO
TDI
TMS
TCK
RTCK
Possible:
EMU0
EMU1
Optional:
DEBUG_UART_RX
Someone needs unsolder the CPU and trace these signals on the mainboard.
So if you got a broken mainboard it would be welcome for scientific examination
This of course would not give us an open bootloader, but might open the door for some promising attempts to debug the platform more intensely.
UPDATE:
All signals had been identified. Unfortunately JTAG access to ARM core and other units is blocked.
EDIT:
O.k. now that xvilka had put my detailed pics in the droid-developers wiki, no need to hide it anymore
Find my updated pics attached.
In fact JTAG access is blocked by the security mechanism on the Milestone.
So all that is accessible is the main TAP controller... everything else is blocked.
No access to the ARM core... nothing except ID could be retrieved.
Have a look at my resignation post here:
http://forum.xda-developers.com/showpost.php?p=11759352&postcount=54
Anyway the journey was a fun thing and i learned a lot of the ARM core internals including TAP units inside OMAP
The craziest thing was, to realize that all this incredible security stuff really depends on one hard-coded bit... called the "HS-Bit".
If you need more infos tell me!!
Cheers,
scholbert
Software tool
We might use the famous OpenOCD for debugging, once we got the full pinout.
Look here for further details about it:
http://elinux.org/BeagleBoardOpenOCD
Have fun!
scholbert
This looks very much fun, but how is this going to benefit an end user?
^^ How does "unlocked bootloader" sound to you
Well said and nice to see some reaction here also.
Sure that's fun... at least for me... and it's to widen your knowledge
I've joined this forum some time ago and it is still called xda-developers.
Maybe i'm little old-fashioned but that's what is still driving me... development
By initiating this thread i was aware there's no benefit for the end user right now,
but the more people stumble over here, the more there's a chance to find some other enthusiasts following this path.
I'm aware that the magic parts are missing.
We need someone willing to do wicked stuff and equipped with professional equipment to unsolder parts from the mainboard.
Once to the remaining signals could be traced, there's a lot play with.
Unlike other devices the core elements of the hardware residing in the Milestone are pretty well documented and lot of software tools exist.
I'm pretty sure there's a way to find a nicer backdoor on this locked down device.
The market is fast though and maybe some day there'll be a device you could use to fly with... even as an end user
Anyway, would be nice to talk about.
Best regards,
scholbert
if thats true, then that'd be great. but the guy says "This of course would not give us an open bootloader" in his first post.
good luck scholbert!!
AbdouRetro said:
if thats true, then that'd be great. but the guy says "This of course would not give us an open bootloader" in his first post.
Click to expand...
Click to collapse
Yes, having a working JTAG is not going to open the bootloader. But will give something very important - access to the CPU and flash without having any working code - read "bootloader development".
Sent from my Milestone using Tapatalk
scholbert, if u have flash access then u can write to some very privileged areas, does that mean u can make the processor boot into general purpose mode?
AbdouRetro said:
scholbert, if u have flash access then u can write to some very privileged areas, does that mean u can make the processor boot into general purpose mode?
Click to expand...
Click to collapse
Privileged areas is a nice word
....but yes, if it's in NAND you may access it easily using JTAG.
AFAIK the HS mode is hard coded into OMAP3430, so booting into GP mode will never happen i guess.
EDIT:
Just had a short glimpse at the OMAP3430 TRM, there's the register CONTROL_PRODUCTION_ID @ 0x4830_A210 to check for GP mode (ID = 0xF0).
On milestone this ID is obviously different and it is hardcoded with efuse.
The ROM bootloader checks this register and could not be rewritten because it's OTP.
Regards,
scholbert
scholbert said:
Privileged areas is a nice word
....but yes, if it's in NAND you may access it easily using JTAG.
AFAIK the HS mode is hard coded into OMAP3430, so booting into GP mode will never happen i guess.
EDIT:
Just had a short glimpse at the OMAP3430 TRM, there's the register CONTROL_PRODUCTION_ID @ 0x4830_A210 to check for GP mode (ID = 0xF0).
On milestone this ID is obviously different and i guess it's hardcoded.
The ROM bootloader checks this register and could not be rewritten because it's OTP.
Regards,
scholbert
Click to expand...
Click to collapse
Sir, I was wondering if a bricked device would be okay for this (by bricked I mean someone [not me of course ] flashed some ****ty firmware and it doesn't boot now), if it is so then I think I visit a few shops and ask around in the "black" market for a bricked device.
I don't think motorola has the capacity to manufacture things so different for the milestone and droid. its enough cost that they use different radios!!
I'm hoping its an external chip/trace that controls which mode it boots.
in the chip block diagram on the site, there's an internal boot rom, do we have that??
reminds me of the xbox360...
Quintasan said:
Sir, I was wondering if a bricked device would be okay for this (by bricked I mean someone [not me of course ] flashed some ****ty firmware and it doesn't boot now), if it is so then I think I visit a few shops and ask around in the "black" market for a bricked device.
Click to expand...
Click to collapse
Sure a bricked device would do, even a partly physical damaged device will do. As i said before the CPU needs to be unsoldered to trace some signals.
EDIT: Just a remark, because you talk about "black" market.... please don't buy any stolen phones or something.
AbdouRetro said:
I don't think motorola has the capacity to manufacture things so different for the milestone and droid. its enough cost that they use different radios!!
I'm hoping its an external chip/trace that controls which mode it boots.
in the chip block diagram on the site, there's an internal boot rom, do we have that??
Click to expand...
Click to collapse
Of course there's a boot ROM, all modern OMAP got this OTP memory implemented.
Have a look at:
https://www.droid-developers.org/wiki/Main_Page
You'll find very interesting and useful information....
Concerning capacities...
Sure they have and obviously Motorola is one of the big customers of Ti.
Apart form the device ID there are also different boot ROMs for different platforms.
This is simply called customizing
TI does it, Qualcomm does it, whoever builds ARM SoC's may do it.
Also Ti's eFuse technology gives the customer (e.g. Motorola) the opportunity to block certain parts of the chip by software setup.
And that's what they did on the Milestone.
Regards,
scholbert
when i said "do we have that"
i meant, do we have a dump of that code that is disassembled and looked into.
by checking here
Code:
droid-developers.org/wiki/Booting_chain
its obvious this has already been done
Hi again,
seems less interest here.... sure this is a very technical thread....
Anyway, see this picture of the mainboard.
https://www.droid-developers.org/images/d/dd/Photo-1.jpg
Seems to be taken from one of the first mass production units, or even a developers phone.
You see there's a FPC connector soldered on the mainboard (underneath the microSD connector).
After doing a little research, it seems that these connectors are used for professional environment:
http://www.hirose.co.jp/cataloge_hp/e58004008.pdf
Part.-No. FH19C-17S-0.5SH
Cheers,
scholbert
I have a dead phone. If someone can provide me with a pinout for the processor, I will be glad to trace out the rest of the jtag header.
Hi eustice!
eustice said:
I have a dead phone. If someone can provide me with a pinout for the processor, I will be glad to trace out the rest of the jtag header.
Click to expand...
Click to collapse
Wow, that 's great, let's crack that nut
I just created a map, bit small though, but i think everything could located...
BTW, on Milestone they seem to have used a OMAP3430 in CBC (S-PBGA-N515) package with POP-memory (see attached datasheet of the package).
Had to digg a little to find that out...
Tell me if you need further information!
Please be careful while removing the CPU, these little pads will easily rip of...
Good luck!!
scholbert
scholbert said:
Hi eustice!
Wow, that 's great, let's crack that nut
I just created a map, bit small though, but i think everything could located...
BTW, on Milestone they seem to have used a OMAP3430 in CBC (S-PBGA-N515) package with POP-memory (see attached datasheet of the package).
Had to digg a little to find that out...
Tell me if you need further information!
Please be careful while removing the CPU, these little pads will easily rip of...
Good luck!!
scholbert
Click to expand...
Click to collapse
Sir, well, I'm not sure if this is of intrest to us but
http://allegro.pl/okazja-jak-nowa-motorola-droid-i1386494285.html
This guys sell's DROIDs for 200 polish zloty, it's cheap. The main problem is that the guy says they were flooded during the transport, he also claims that they were not switched on since then. Are we interested in getting one and disassembling it?
Hey Qintasan,
thanks for the link!
Quintasan said:
This guys sell's DROIDs for 200 polish zloty, it's cheap. The main problem is that the guy says they were flooded during the transport, he also claims that they were not switched on since then. Are we interested in getting one and disassembling it?
Click to expand...
Click to collapse
Indeed the price is nice, but it's your decision, wether to buy one or not.
Personnally i got two working devices and i'm not willing to rip them apart.
By starting this thread i intended to draw some interest about this JTAG stuff and to collect information to gain access on the Milestone.
It is yet unknown, if it will ever work on this platform.
It might also be possible that the JTAG signals are physically connected, but had been disabled by e-fuses on the production units.
..... but if no one ever tries we'll never know.
Best regards,
scholbert
milestone jtag board and connector pic
attached are the pics for the jtag board and the connector on the phone.
Related
Hey everyone,
I have a strong backing in electronics, and I have a G1. I don't dare open it because it's my only phone and I'm a college student, however, I want to study the circuit board to see how we can exploit the device.
My first idea I want to investigate is just building a chip flasher to flash the ROM. There's no way they could block that. I see the threads on working with the JTAG, however, I'm not familiar in that area. Wouldn't it make more sense to build a solderless chip flasher?
Regardless, does anybody have some high-res images of the board, front and back?
Wrong section, and I don't think many users will hold the high res pictures you are looking for...I could be wrong =)
protomanez said:
Wrong section, and I don't think many users will hold the high res pictures you are looking for...I could be wrong =)
Click to expand...
Click to collapse
I wasn't sure whether to put this in Q&A or not, as I wanted to discuss development of the chips once identified.
http://mikechannon.net/PDF Manuals/HTC Dream SM (A04).pdf
Does this help any? It has complete disassembly/assemby instructions, and lots of pictures
Moved as not Android Development.
Sent Move Request
mejorguille said:
http://mikechannon.net/PDF Manuals/HTC Dream SM (A04).pdf
Does this help any? It has complete disassembly/assemby instructions, and lots of pictures
Click to expand...
Click to collapse
I looked through it, unfortunately, it did not detail the main board. I really would like to just study the traces on the board. Does anybody have a front and back picture of the main board?
mejorguille said:
http://mikechannon.net/PDF Manuals/HTC Dream SM (A04).pdf
Does this help any? It has complete disassembly/assemby instructions, and lots of pictures
Click to expand...
Click to collapse
That'll probably help him all the way down to the bottom.
EDIT:
http://forum.xda-developers.com/showthread.php?t=591048
That should help you ;]
XBrav said:
Hey everyone,
I have a strong backing in electronics, and I have a G1. I don't dare open it because it's my only phone and I'm a college student, however, I want to study the circuit board to see how we can exploit the device.
My first idea I want to investigate is just building a chip flasher to flash the ROM. There's no way they could block that. I see the threads on working with the JTAG, however, I'm not familiar in that area. Wouldn't it make more sense to build a solderless chip flasher?
Regardless, does anybody have some high-res images of the board, front and back?
Click to expand...
Click to collapse
Look in the debricking JTAG testpoint thread in development. First post has some good pictures of the top (side that faces the inside part, toward the screen side) part of the board. I had mine open the other day but I didn't take any pics, sorry
Just so everyone is aware, the kernel and the recovery partition signatures are checked on each boot, changing those will leave you with a brick, until we have proper firmware to recovery with.
I found out the hard way.
On my second Atrix now.
Casualty of war
Taking one for the team
Well that sucks..
any free partitions that we can "steal"? and basically pull a haret where it loads partially from legit bootloader and kernel, then shuffles off to a different partition we CAN write for the real kernel, unloads all that other stuff and then launches the new kernel partiion we've modified?
designgears said:
Just so everyone is aware, the kernel and the recovery partition signatures are checked on each boot, changing those will leave you with a brick, until we have proper firmware to recovery with.
I found out the hard way.
On my second Atrix now.
Click to expand...
Click to collapse
I guess that when we told you this, you just had to find out for yourself. The recovery should only be checked when you attempt to access it, but the kernel is checked on every boot. I hope you did not return to store as defective.
DG, thank you for putting yourself out there, and putting together roms along with the dev work.
Its nice to see some progress being done along side all the people on here saying what we shouldnt be doing/trying with our phones.
Athailias said:
DG, thank you for putting yourself out there, and putting together roms along with the dev work.
Its nice to see some progress being done along side all the people on here saying what we shouldnt be doing/trying with our phones.
Click to expand...
Click to collapse
Don't thank him for repeating something which had been confirmed.
jimmydafish said:
I guess that when we told you this, you just had to find out for yourself. The recovery should only be checked when you attempt to access it, but the kernel is checked on every boot. I hope you did not return to store as defective.
Click to expand...
Click to collapse
So you told me it was checked every boot (first bold), but it should only be checked when you access it (second bold)? Confused, on drugs or what?
I just found out the hard way for you, it's checked every boot accessed or not.
If you want to be elitist and not post up a FAQ about what you know (do you even have an atrix), please stop posting in here, you've done nothing but spout off what you know about other moto devices, it is clear they tightened things down a bit more.
jimmypopulous said:
Don't thank him for repeating something which had been confirmed.
Click to expand...
Click to collapse
everything you guys say, along with others says it SHOULD be checked when accessed, which means I should have been able to boot normally and fail when I boot recovery.
You guys keep saying its CONFIRMED, where is it documented for the atrix. Tests performed with document results as proof.
designgears said:
So you told me it was checked every boot (first bold), but it should only be checked when you access it (second bold)? Confused, on drugs or what?
I just found out the hard way for you, it's checked every boot accessed or not.
If you want to be elitist and not post up a FAQ about what you know (do you even have an atrix), please stop posting in here, you've done nothing but spout off what you know about other moto devices, it is clear they tightened things down a bit more.
everything you guys say, along with others says it SHOULD be checked when accessed, which means I should have been able to boot normally and fail when I boot recovery.
You guys keep saying its CONFIRMED, where is it documented for the atrix. Tests performed with document results as proof.
Click to expand...
Click to collapse
What is being elitist by my statement? That before you started playing with your shiny new toy, we advised that doing certain things with your phone without proper firmware to restore your phone, WOULD result in a "soft brick".
I do not have a motorola ATRIX, never said I did, but I can read the firmware pretty well. If your offended by my post I assume it is because offered up my standard line of "hope you did not return it as defective", because nothing else in that statement should lead you behave like a child.
Here how about this for a Facts, my rom was the first to safely remove Blur from the Droid series of phones safely, after reading the firmware from your phone, and your deodexed version of the firmware there are many portions you could remove safely.
If you have questions you could ask and get the answers, but as it stands right now, we are just trying to help you save yourselves. Many people will enter these forums, and while each person is responsible for their own device, they will try to follow what you have done and they too will soft brick their phone. I'm not sure of your ethical and moral makeup but too many people return their manipulated device to the provider as defective causing every to pay for their mistake.
I just hope you bought another Atrix outright and did not scam ATT/Motorola.
designgears said:
So you told me it was checked every boot (first bold), but it should only be checked when you access it (second bold)? Confused, on drugs or what?
I just found out the hard way for you, it's checked every boot accessed or not.
If you want to be elitist and not post up a FAQ about what you know (do you even have an atrix), please stop posting in here, you've done nothing but spout off what you know about other moto devices, it is clear they tightened things down a bit more.
everything you guys say, along with others says it SHOULD be checked when accessed, which means I should have been able to boot normally and fail when I boot recovery.
Click to expand...
Click to collapse
DesignGears,
Please don't let a claim-to-know-it-all self-righteous Prick like jimmydafish discourage your efforts.
As far as I'm concerned (and probably the majority of people who mash the refresh button on this subforum multiple times a day would agree) it's people like you (people who have actively contributed to the users here at XDA in the past (all your captivate work)), that make me feel lucky to own the same type of device that you and other dedicated devs like yourself own.
Its hard to imagine how someone who probably played a very small part on a team -- a team that, as far as I can tell, has never managed to actually produce any real results on the DX -- can know so much about a device he doesn't even own.
And if reading this post encourages members of any such team to get their panties in a wad and start talking about how they are not going to contribute here now, well then to that I say: good riddance. For every one small tip you may provide it seams like you offer two holier-than-thou-doughe-bag-comments that frankly this section of this forum could do without.
But again, thank you DesginGears and Devs like you
mburris said:
DesignGears,
Please don't let a claim-to-know-it-all self-righteous Prick like jimmydafish discourage your efforts.
As far as I'm concerned (and probably the majority of people who mash the refresh button on this subforum multiple times a day would agree) it's people like you (people who have actively contributed to the users here at XDA in the past (all your captivate work)), that make me feel lucky to own the same type of device that you and other dedicated devs like yourself own.
Its hard to imagine how someone who probably played a very small part on a team -- a team that, as far as I can tell, has never managed to actually produce any real results on the DX -- can know so much about a device he doesn't even own.
And if reading this post encourages members of any such team to get their panties in a wad and start talking about how they are not going to contribute here now, well then to that I say: good riddance. For every one small tip you may provide it seams like you offer two holier-than-thou-doughe-bag-comments that frankly this section of this forum could do without.
But again, thank you DesginGears and Devs like you
Click to expand...
Click to collapse
I can assure you I am not, glad to have support.
--
Jimmy, no hard feelins, sorry I wanted try something and learn from it, sorry you told me two opposing things in the same post(this is what I am *****ing about if you would read you would know that), sorry I act like a child, I guess calling it how I see it is childish. From all the PM's about you I just got and mburris reply, you have made my block list, have fun in there with rafy.
jimmydafish said:
I just hope you bought another Atrix outright and did not scam ATT/Motorola.
Click to expand...
Click to collapse
Maybe if more people softbricked and returned phones that have locked down bootloaders, oems and carriers might finally realize that when someone buys a piece of technology, they own it, and would like to use it as such.
That includes:
1. Not having some POS skin on top of stock android (Blur)
2. Not being locked into paying twice for the data we already pay for (tethering)
3. Not being allowed to easily install non-market apps that we develop without jumping through hoops (slide loading)
4. Not having to wait for the carrier or oem mfg to release an update before we can have a current version of Android.
Call it a Brick-n-Return Protest
mburris said:
Maybe if more people softbricked and returned phones that have locked down bootloaders, oems and carriers might finally realize that when someone buys a piece of technology, they own it, and would like to use it as such.
That includes:
1. Not having some POS skin on top of stock android (Blur)
2. Not being locked into paying twice for the data we already pay for (tethering)
3. Not being allowed to easily install non-market apps that we develop without jumping through hoops (slide loading)
4. Not having to wait for the carrier or oem mfg to release an update before we can have a current version of Android.
Call it a Brick-n-Return Protest
Click to expand...
Click to collapse
LOL, that would surely cause some grief over at at&t, and a good laugh.
They would probably start leasing the phones so you can't say you own them.
Closed by OP request as this is an informational thread stating results of testing.
I'm looking for a busted captivate for research. I belive we may be able to boot from a micro SD card.
I have to remove the processor and reverse engineer the board in order to find the power supply to the line called XOM5 in the processor manual. Once this line is found, it may be as simple as shorting, slicing the line, or popping a resistor off the board.
Repairing the phone afterwards would be beyond my capabilities.. I can't perform ball soldering. That takes some highly specialized tools. You would be doing a great service to everyone with a GalaxyS phone.
The phone does not need to work, and can be in horrible condition. It can be water damaged or physically broken. The only thing I need is the main board inside the phone.
bump......
Sorry man only got my every day phone. Ill keep an eye out in the island see if i can help with your project.
hey i have a 1008 phone. screen busted. possibly stuck in bootloop. its in a couple peices.
bulletproof1013 said:
hey i have a 1008 phone. screen busted. possibly stuck in bootloop. its in a couple peices.
Click to expand...
Click to collapse
can i just send you the main board?
Yes! that's all I need. I'll send you a PM.
AdamOutler said:
I'm looking for a busted captivate for research. I belive we may be able to boot from a micro SD card.
I have to remove the processor and reverse engineer the board in order to find the power supply to the line called XOM5 in the processor manual. Once this line is found, it may be as simple as shorting, slicing the line, or popping a resistor off the board.
Repairing the phone afterwards would be beyond my capabilities.. I can't perform ball soldering. That takes some highly specialized tools. You would be doing a great service to everyone with a GalaxyS phone.
The phone does not need to work, and can be in horrible condition. It can be water damaged or physically broken. The only thing I need is the main board inside the phone.
Click to expand...
Click to collapse
I would like to learn more how a CB works and how to trace certain things on a board as well as other parts. Any books or reference guides besides schematics that could help me? PM me if you will. Infact anyone that knows anything could help me, please PM. Thanks.
Jmurph3 said:
I would like to learn more how a CB works and how to trace certain things on a board as well as other parts. Any books or reference guides besides schematics that could help me? PM me if you will. Infact anyone that knows anything could help me, please PM. Thanks.
Click to expand...
Click to collapse
A better place for a newbie to start would be circuit bending... hopping electricity from one point on a circuit board to another to alter the operating state. This would be a great place to start... http://hackaday.com/2011/01/11/intro-to-circuit-bending/
Once you get familiar with how things work on a circuit board, start examining the individual components in greater detail. There's some datasheets in here http://forum.xda-developers.com/showthread.php?t=1111866 which you could use to understand how a couple of the major players on our phone works. Speciffically, the USB controller (FSA9480) and the Processor (S5PC110). It really takes some additional education to start reading processor manuals....
You could always start with something simpler like Arduino platform. The Arduino platform allows you to create a basic program which runs on a microprocessor and take inputs and outputs from it. I like the Arduino because it's so darn quick to pick up.
here's some of the stuff I programmed on the Arduino
Contest entry http://www.hyundaiaftermarket.org/f...utlers-hackaday-santa-pede-competition-entry/
Silly candle http://www.hyundaiaftermarket.org/forum/blog/3/entry-27-digital-candle/
This one would be a great first project. http://www.hyundaiaftermarket.org/forum/blog/3/entry-26-arduino-ef-meter/
If you really want to understand how a circuit board works, the best way is to go to school, or start playing with one... You could get started pretty cheap http://www.google.com/search?client...gc.r_pw.&fp=d4257c808144b93c&biw=1333&bih=651 or you can get a better one like in the Android Open Acessory Kit (it's actually an Arduino Mega with additional sensors) http://www.google.com/search?client...gc.r_pw.&fp=d4257c808144b93c&biw=1333&bih=651
So yeah... Learning electronics is reading, playing and doing.
AdamOutler said:
A better place for a newbie to start would be circuit bending... hopping electricity from one point on a circuit board to another to alter the operating state. This would be a great place to start... http://hackaday.com/2011/01/11/intro-to-circuit-bending/
Once you get familiar with how things work on a circuit board, start examining the individual components in greater detail. There's some datasheets in here http://forum.xda-developers.com/showthread.php?t=1111866 which you could use to understand how a couple of the major players on our phone works. Speciffically, the USB controller (FSA9480) and the Processor (S5PC110). It really takes some additional education to start reading processor manuals....
You could always start with something simpler like Arduino platform. The Arduino platform allows you to create a basic program which runs on a microprocessor and take inputs and outputs from it. I like the Arduino because it's so darn quick to pick up.
here's some of the stuff I programmed on the Arduino
Contest entry http://www.hyundaiaftermarket.org/f...utlers-hackaday-santa-pede-competition-entry/
Silly candle http://www.hyundaiaftermarket.org/forum/blog/3/entry-27-digital-candle/
This one would be a great first project. http://www.hyundaiaftermarket.org/forum/blog/3/entry-26-arduino-ef-meter/
If you really want to understand how a circuit board works, the best way is to go to school, or start playing with one... You could get started pretty cheap http://www.google.com/search?client...gc.r_pw.&fp=d4257c808144b93c&biw=1333&bih=651 or you can get a better one like in the Android Open Acessory Kit (it's actually an Arduino Mega with additional sensors) http://www.google.com/search?client...gc.r_pw.&fp=d4257c808144b93c&biw=1333&bih=651
So yeah... Learning electronics is reading, playing and doing.
Click to expand...
Click to collapse
Hey, thanks a lot. I'm sure I'll be able to get something out of it. Hopefully this will help with my job some too!
Hey , when and If your able to boot from micro sd...will this method be like the nook color?
bulletproof1013 said:
Hey , when and If your able to boot from micro sd...will this method be like the nook color?
Click to expand...
Click to collapse
Basically. that's the idea. perform a slight hardware modification, then boot from SDCard from then on. Of course, first, I'll be focusing on just recovering a bricked phone by providing the phone a PBL/SBL/SBL2 on a MMC card.
Any progress?
crispy1805 said:
Any progress?
Click to expand...
Click to collapse
Yes. the project is completed. Thank you Bulletproof1013.
See here: http://forum.xda-developers.com/showthread.php?t=1242466
Not wanting to open up old threads and discussions about booting the atrix 4g, but i was just browsing the schematics i found on xda, and noticed what looks like a 'trusted boot' jumper. I don't know much about trust technology in these platforms but someone here may know more.
Brief searches show intel's trusted platform technology, I'm not sure the atrix contains something similar.
but if it does, would this jumper - if changed, allow us to boot anything perhaps?
I've attached a photo of the schematic (i found this trying to follow the good old 'FM radio not working' thread as well).
so yeah, thoughts from those more in the guts of trusted platforms?
please feel free to shut this thread down if I'm just total out of the ball park, but if this is a lead, all be it a hardware mod(depending where this jumper is and how easy it is to change its state on the board), it may be a way to unbrick perhaps.
I'm also aware the atrix 4G is getting a little older now, and interest maybe being depleted given other options in the market these days.
thanks
glegge said:
Not wanting to open up old threads and discussions about booting the atrix 4g, but i was just browsing the schematics i found on xda, and noticed what looks like a 'trusted boot' jumper. I don't know much about trust technology in these platforms but someone here may know more.
Brief searches show intel's trusted platform technology, I'm not sure the atrix contains something similar.
but if it does, would this jumper - if changed, allow us to boot anything perhaps?
I've attached a photo of the schematic (i found this trying to follow the good old 'FM radio not working' thread as well).
so yeah, thoughts from those more in the guts of trusted platforms?
please feel free to shut this thread down if I'm just total out of the ball park, but if this is a lead, all be it a hardware mod(depending where this jumper is and how easy it is to change its state on the board), it may be a way to unbrick perhaps.
I'm also aware the atrix 4G is getting a little older now, and interest maybe being depleted given other options in the market these days.
thanks
Click to expand...
Click to collapse
i have a question. why didnt u write this to a trusted dev for atrix?? because its not very useful to write this without 100% knowledge so it would have been the best to write it to a hardware dev that can proof this and test it.
thanks it was meant good, but still write this to a dev that know how to work with this.
Hai_Duong said:
i have a question. why didnt u write this to a trusted dev for atrix?? because its not very useful to write this without 100% knowledge so it would have been the best to write it to a hardware dev that can proof this and test it.
thanks it was meant good, but still write this to a dev that know how to work with this.
Click to expand...
Click to collapse
Understood, I'm all good intentions and thumbs and fingers.
could you suggest a dev to IM this too?
many thanks
glegge said:
Understood, I'm all good intentions and thumbs and fingers.
could you suggest a dev to IM this too?
many thanks
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=2016837
here these guys are the hope for ics kernel just write them if its useful they will reply.
Just curious if there are any BMW guys that are devs here? This is SUPER random but since 2007 people have been trying to hack the Transmission Control Unit (TCU) on BMWs with very little success. It's becoming more interesting recently since more and more people are making 600+ hp and being able to control the line pressure will help hold the power. Figured I'd check to see since the best devs I know of are on here.
loudaccord said:
Just curious if there are any BMW guys that are devs here? This is SUPER random but since 2007 people have been trying to hack the Transmission Control Unit (TCU) on BMWs with very little success. It's becoming more interesting recently since more and more people are making 600+ hp and being able to control the line pressure will help hold the power. Figured I'd check to see since the best devs I know of are on here.
Click to expand...
Click to collapse
Bump.
What we need is someone to 'look very closely' at the rom files for the TCU. The rom files are protected with what I believe is 1024bit RSA signatures and we need to find a weakness in the bootloader or something in order to upload modified files. The 335i ECU had a security hole which allows for tricking the ECU into verifying the same signature twice, opening up the important part of the file for modifications. There were three sections, the BAF, PAF and DAF. BAF verified the PAF and BAF verified the DAF. We got the BAF to verify the PAF signature twice.
I think the TCU works on something of a similar system most likely, but nobody has really taken a good look. I think someone has cracked it once before for the M3 which uses the same TCU but different ROM files, but they aren't telling.
Bump. I'm sure there could be some good money raised too if a developer needs some incentive.
doublespaces said:
.
ROM files,
Click to expand...
Click to collapse
You said ROM, so we just need SU right?
I agree with nguyenvn - could end up with some $$$ as there is quite the demand.
At the moment the community at e90post is trying to find a way, but after months and a steep learning curve, we're stuck with the signature problem.... the thread is called "Transmission remap - Lets do it ourselves"