Related
Hi,
i've been following the progress on Milestone hacking quite a while now.
Some days ago i started intensive research on the Milestone hardware myself
So here's the some interesting discovery.
Thanks goes out to XVilka for putting this down on the wiki so fast
Of course this is just the starting point for a new hunting....
As you might see many signals are not identified yet.
Essential:
TDO
TDI
TMS
TCK
RTCK
Possible:
EMU0
EMU1
Optional:
DEBUG_UART_RX
Someone needs unsolder the CPU and trace these signals on the mainboard.
So if you got a broken mainboard it would be welcome for scientific examination
This of course would not give us an open bootloader, but might open the door for some promising attempts to debug the platform more intensely.
UPDATE:
All signals had been identified. Unfortunately JTAG access to ARM core and other units is blocked.
EDIT:
O.k. now that xvilka had put my detailed pics in the droid-developers wiki, no need to hide it anymore
Find my updated pics attached.
In fact JTAG access is blocked by the security mechanism on the Milestone.
So all that is accessible is the main TAP controller... everything else is blocked.
No access to the ARM core... nothing except ID could be retrieved.
Have a look at my resignation post here:
http://forum.xda-developers.com/showpost.php?p=11759352&postcount=54
Anyway the journey was a fun thing and i learned a lot of the ARM core internals including TAP units inside OMAP
The craziest thing was, to realize that all this incredible security stuff really depends on one hard-coded bit... called the "HS-Bit".
If you need more infos tell me!!
Cheers,
scholbert
Software tool
We might use the famous OpenOCD for debugging, once we got the full pinout.
Look here for further details about it:
http://elinux.org/BeagleBoardOpenOCD
Have fun!
scholbert
This looks very much fun, but how is this going to benefit an end user?
^^ How does "unlocked bootloader" sound to you
Well said and nice to see some reaction here also.
Sure that's fun... at least for me... and it's to widen your knowledge
I've joined this forum some time ago and it is still called xda-developers.
Maybe i'm little old-fashioned but that's what is still driving me... development
By initiating this thread i was aware there's no benefit for the end user right now,
but the more people stumble over here, the more there's a chance to find some other enthusiasts following this path.
I'm aware that the magic parts are missing.
We need someone willing to do wicked stuff and equipped with professional equipment to unsolder parts from the mainboard.
Once to the remaining signals could be traced, there's a lot play with.
Unlike other devices the core elements of the hardware residing in the Milestone are pretty well documented and lot of software tools exist.
I'm pretty sure there's a way to find a nicer backdoor on this locked down device.
The market is fast though and maybe some day there'll be a device you could use to fly with... even as an end user
Anyway, would be nice to talk about.
Best regards,
scholbert
if thats true, then that'd be great. but the guy says "This of course would not give us an open bootloader" in his first post.
good luck scholbert!!
AbdouRetro said:
if thats true, then that'd be great. but the guy says "This of course would not give us an open bootloader" in his first post.
Click to expand...
Click to collapse
Yes, having a working JTAG is not going to open the bootloader. But will give something very important - access to the CPU and flash without having any working code - read "bootloader development".
Sent from my Milestone using Tapatalk
scholbert, if u have flash access then u can write to some very privileged areas, does that mean u can make the processor boot into general purpose mode?
AbdouRetro said:
scholbert, if u have flash access then u can write to some very privileged areas, does that mean u can make the processor boot into general purpose mode?
Click to expand...
Click to collapse
Privileged areas is a nice word
....but yes, if it's in NAND you may access it easily using JTAG.
AFAIK the HS mode is hard coded into OMAP3430, so booting into GP mode will never happen i guess.
EDIT:
Just had a short glimpse at the OMAP3430 TRM, there's the register CONTROL_PRODUCTION_ID @ 0x4830_A210 to check for GP mode (ID = 0xF0).
On milestone this ID is obviously different and it is hardcoded with efuse.
The ROM bootloader checks this register and could not be rewritten because it's OTP.
Regards,
scholbert
scholbert said:
Privileged areas is a nice word
....but yes, if it's in NAND you may access it easily using JTAG.
AFAIK the HS mode is hard coded into OMAP3430, so booting into GP mode will never happen i guess.
EDIT:
Just had a short glimpse at the OMAP3430 TRM, there's the register CONTROL_PRODUCTION_ID @ 0x4830_A210 to check for GP mode (ID = 0xF0).
On milestone this ID is obviously different and i guess it's hardcoded.
The ROM bootloader checks this register and could not be rewritten because it's OTP.
Regards,
scholbert
Click to expand...
Click to collapse
Sir, I was wondering if a bricked device would be okay for this (by bricked I mean someone [not me of course ] flashed some ****ty firmware and it doesn't boot now), if it is so then I think I visit a few shops and ask around in the "black" market for a bricked device.
I don't think motorola has the capacity to manufacture things so different for the milestone and droid. its enough cost that they use different radios!!
I'm hoping its an external chip/trace that controls which mode it boots.
in the chip block diagram on the site, there's an internal boot rom, do we have that??
reminds me of the xbox360...
Quintasan said:
Sir, I was wondering if a bricked device would be okay for this (by bricked I mean someone [not me of course ] flashed some ****ty firmware and it doesn't boot now), if it is so then I think I visit a few shops and ask around in the "black" market for a bricked device.
Click to expand...
Click to collapse
Sure a bricked device would do, even a partly physical damaged device will do. As i said before the CPU needs to be unsoldered to trace some signals.
EDIT: Just a remark, because you talk about "black" market.... please don't buy any stolen phones or something.
AbdouRetro said:
I don't think motorola has the capacity to manufacture things so different for the milestone and droid. its enough cost that they use different radios!!
I'm hoping its an external chip/trace that controls which mode it boots.
in the chip block diagram on the site, there's an internal boot rom, do we have that??
Click to expand...
Click to collapse
Of course there's a boot ROM, all modern OMAP got this OTP memory implemented.
Have a look at:
https://www.droid-developers.org/wiki/Main_Page
You'll find very interesting and useful information....
Concerning capacities...
Sure they have and obviously Motorola is one of the big customers of Ti.
Apart form the device ID there are also different boot ROMs for different platforms.
This is simply called customizing
TI does it, Qualcomm does it, whoever builds ARM SoC's may do it.
Also Ti's eFuse technology gives the customer (e.g. Motorola) the opportunity to block certain parts of the chip by software setup.
And that's what they did on the Milestone.
Regards,
scholbert
when i said "do we have that"
i meant, do we have a dump of that code that is disassembled and looked into.
by checking here
Code:
droid-developers.org/wiki/Booting_chain
its obvious this has already been done
Hi again,
seems less interest here.... sure this is a very technical thread....
Anyway, see this picture of the mainboard.
https://www.droid-developers.org/images/d/dd/Photo-1.jpg
Seems to be taken from one of the first mass production units, or even a developers phone.
You see there's a FPC connector soldered on the mainboard (underneath the microSD connector).
After doing a little research, it seems that these connectors are used for professional environment:
http://www.hirose.co.jp/cataloge_hp/e58004008.pdf
Part.-No. FH19C-17S-0.5SH
Cheers,
scholbert
I have a dead phone. If someone can provide me with a pinout for the processor, I will be glad to trace out the rest of the jtag header.
Hi eustice!
eustice said:
I have a dead phone. If someone can provide me with a pinout for the processor, I will be glad to trace out the rest of the jtag header.
Click to expand...
Click to collapse
Wow, that 's great, let's crack that nut
I just created a map, bit small though, but i think everything could located...
BTW, on Milestone they seem to have used a OMAP3430 in CBC (S-PBGA-N515) package with POP-memory (see attached datasheet of the package).
Had to digg a little to find that out...
Tell me if you need further information!
Please be careful while removing the CPU, these little pads will easily rip of...
Good luck!!
scholbert
scholbert said:
Hi eustice!
Wow, that 's great, let's crack that nut
I just created a map, bit small though, but i think everything could located...
BTW, on Milestone they seem to have used a OMAP3430 in CBC (S-PBGA-N515) package with POP-memory (see attached datasheet of the package).
Had to digg a little to find that out...
Tell me if you need further information!
Please be careful while removing the CPU, these little pads will easily rip of...
Good luck!!
scholbert
Click to expand...
Click to collapse
Sir, well, I'm not sure if this is of intrest to us but
http://allegro.pl/okazja-jak-nowa-motorola-droid-i1386494285.html
This guys sell's DROIDs for 200 polish zloty, it's cheap. The main problem is that the guy says they were flooded during the transport, he also claims that they were not switched on since then. Are we interested in getting one and disassembling it?
Hey Qintasan,
thanks for the link!
Quintasan said:
This guys sell's DROIDs for 200 polish zloty, it's cheap. The main problem is that the guy says they were flooded during the transport, he also claims that they were not switched on since then. Are we interested in getting one and disassembling it?
Click to expand...
Click to collapse
Indeed the price is nice, but it's your decision, wether to buy one or not.
Personnally i got two working devices and i'm not willing to rip them apart.
By starting this thread i intended to draw some interest about this JTAG stuff and to collect information to gain access on the Milestone.
It is yet unknown, if it will ever work on this platform.
It might also be possible that the JTAG signals are physically connected, but had been disabled by e-fuses on the production units.
..... but if no one ever tries we'll never know.
Best regards,
scholbert
milestone jtag board and connector pic
attached are the pics for the jtag board and the connector on the phone.
Just so everyone is aware, the kernel and the recovery partition signatures are checked on each boot, changing those will leave you with a brick, until we have proper firmware to recovery with.
I found out the hard way.
On my second Atrix now.
Casualty of war
Taking one for the team
Well that sucks..
any free partitions that we can "steal"? and basically pull a haret where it loads partially from legit bootloader and kernel, then shuffles off to a different partition we CAN write for the real kernel, unloads all that other stuff and then launches the new kernel partiion we've modified?
designgears said:
Just so everyone is aware, the kernel and the recovery partition signatures are checked on each boot, changing those will leave you with a brick, until we have proper firmware to recovery with.
I found out the hard way.
On my second Atrix now.
Click to expand...
Click to collapse
I guess that when we told you this, you just had to find out for yourself. The recovery should only be checked when you attempt to access it, but the kernel is checked on every boot. I hope you did not return to store as defective.
DG, thank you for putting yourself out there, and putting together roms along with the dev work.
Its nice to see some progress being done along side all the people on here saying what we shouldnt be doing/trying with our phones.
Athailias said:
DG, thank you for putting yourself out there, and putting together roms along with the dev work.
Its nice to see some progress being done along side all the people on here saying what we shouldnt be doing/trying with our phones.
Click to expand...
Click to collapse
Don't thank him for repeating something which had been confirmed.
jimmydafish said:
I guess that when we told you this, you just had to find out for yourself. The recovery should only be checked when you attempt to access it, but the kernel is checked on every boot. I hope you did not return to store as defective.
Click to expand...
Click to collapse
So you told me it was checked every boot (first bold), but it should only be checked when you access it (second bold)? Confused, on drugs or what?
I just found out the hard way for you, it's checked every boot accessed or not.
If you want to be elitist and not post up a FAQ about what you know (do you even have an atrix), please stop posting in here, you've done nothing but spout off what you know about other moto devices, it is clear they tightened things down a bit more.
jimmypopulous said:
Don't thank him for repeating something which had been confirmed.
Click to expand...
Click to collapse
everything you guys say, along with others says it SHOULD be checked when accessed, which means I should have been able to boot normally and fail when I boot recovery.
You guys keep saying its CONFIRMED, where is it documented for the atrix. Tests performed with document results as proof.
designgears said:
So you told me it was checked every boot (first bold), but it should only be checked when you access it (second bold)? Confused, on drugs or what?
I just found out the hard way for you, it's checked every boot accessed or not.
If you want to be elitist and not post up a FAQ about what you know (do you even have an atrix), please stop posting in here, you've done nothing but spout off what you know about other moto devices, it is clear they tightened things down a bit more.
everything you guys say, along with others says it SHOULD be checked when accessed, which means I should have been able to boot normally and fail when I boot recovery.
You guys keep saying its CONFIRMED, where is it documented for the atrix. Tests performed with document results as proof.
Click to expand...
Click to collapse
What is being elitist by my statement? That before you started playing with your shiny new toy, we advised that doing certain things with your phone without proper firmware to restore your phone, WOULD result in a "soft brick".
I do not have a motorola ATRIX, never said I did, but I can read the firmware pretty well. If your offended by my post I assume it is because offered up my standard line of "hope you did not return it as defective", because nothing else in that statement should lead you behave like a child.
Here how about this for a Facts, my rom was the first to safely remove Blur from the Droid series of phones safely, after reading the firmware from your phone, and your deodexed version of the firmware there are many portions you could remove safely.
If you have questions you could ask and get the answers, but as it stands right now, we are just trying to help you save yourselves. Many people will enter these forums, and while each person is responsible for their own device, they will try to follow what you have done and they too will soft brick their phone. I'm not sure of your ethical and moral makeup but too many people return their manipulated device to the provider as defective causing every to pay for their mistake.
I just hope you bought another Atrix outright and did not scam ATT/Motorola.
designgears said:
So you told me it was checked every boot (first bold), but it should only be checked when you access it (second bold)? Confused, on drugs or what?
I just found out the hard way for you, it's checked every boot accessed or not.
If you want to be elitist and not post up a FAQ about what you know (do you even have an atrix), please stop posting in here, you've done nothing but spout off what you know about other moto devices, it is clear they tightened things down a bit more.
everything you guys say, along with others says it SHOULD be checked when accessed, which means I should have been able to boot normally and fail when I boot recovery.
Click to expand...
Click to collapse
DesignGears,
Please don't let a claim-to-know-it-all self-righteous Prick like jimmydafish discourage your efforts.
As far as I'm concerned (and probably the majority of people who mash the refresh button on this subforum multiple times a day would agree) it's people like you (people who have actively contributed to the users here at XDA in the past (all your captivate work)), that make me feel lucky to own the same type of device that you and other dedicated devs like yourself own.
Its hard to imagine how someone who probably played a very small part on a team -- a team that, as far as I can tell, has never managed to actually produce any real results on the DX -- can know so much about a device he doesn't even own.
And if reading this post encourages members of any such team to get their panties in a wad and start talking about how they are not going to contribute here now, well then to that I say: good riddance. For every one small tip you may provide it seams like you offer two holier-than-thou-doughe-bag-comments that frankly this section of this forum could do without.
But again, thank you DesginGears and Devs like you
mburris said:
DesignGears,
Please don't let a claim-to-know-it-all self-righteous Prick like jimmydafish discourage your efforts.
As far as I'm concerned (and probably the majority of people who mash the refresh button on this subforum multiple times a day would agree) it's people like you (people who have actively contributed to the users here at XDA in the past (all your captivate work)), that make me feel lucky to own the same type of device that you and other dedicated devs like yourself own.
Its hard to imagine how someone who probably played a very small part on a team -- a team that, as far as I can tell, has never managed to actually produce any real results on the DX -- can know so much about a device he doesn't even own.
And if reading this post encourages members of any such team to get their panties in a wad and start talking about how they are not going to contribute here now, well then to that I say: good riddance. For every one small tip you may provide it seams like you offer two holier-than-thou-doughe-bag-comments that frankly this section of this forum could do without.
But again, thank you DesginGears and Devs like you
Click to expand...
Click to collapse
I can assure you I am not, glad to have support.
--
Jimmy, no hard feelins, sorry I wanted try something and learn from it, sorry you told me two opposing things in the same post(this is what I am *****ing about if you would read you would know that), sorry I act like a child, I guess calling it how I see it is childish. From all the PM's about you I just got and mburris reply, you have made my block list, have fun in there with rafy.
jimmydafish said:
I just hope you bought another Atrix outright and did not scam ATT/Motorola.
Click to expand...
Click to collapse
Maybe if more people softbricked and returned phones that have locked down bootloaders, oems and carriers might finally realize that when someone buys a piece of technology, they own it, and would like to use it as such.
That includes:
1. Not having some POS skin on top of stock android (Blur)
2. Not being locked into paying twice for the data we already pay for (tethering)
3. Not being allowed to easily install non-market apps that we develop without jumping through hoops (slide loading)
4. Not having to wait for the carrier or oem mfg to release an update before we can have a current version of Android.
Call it a Brick-n-Return Protest
mburris said:
Maybe if more people softbricked and returned phones that have locked down bootloaders, oems and carriers might finally realize that when someone buys a piece of technology, they own it, and would like to use it as such.
That includes:
1. Not having some POS skin on top of stock android (Blur)
2. Not being locked into paying twice for the data we already pay for (tethering)
3. Not being allowed to easily install non-market apps that we develop without jumping through hoops (slide loading)
4. Not having to wait for the carrier or oem mfg to release an update before we can have a current version of Android.
Call it a Brick-n-Return Protest
Click to expand...
Click to collapse
LOL, that would surely cause some grief over at at&t, and a good laugh.
They would probably start leasing the phones so you can't say you own them.
Closed by OP request as this is an informational thread stating results of testing.
Can all developers please share some information regarding job interviews?
I would like to know how to improve myself in a interview for development and how to improve my answers in order to make myself more appealing.
Here are some questions that i've been asked and would like to know how to improve the answers too:
1) When you need help with coding, what do you do? - what sites do you use? - How do you approach a solution?
2) When do you approach you senior developer?
3) How do you keep up to date ?
4) Give me an example of when you solved a difficult problem using PHP (or whataever language)
Basically many examples need to be given, not sure how to answer them.
There are other questions that I'll ask when they come to mind.
I need some input guys!! or at least guide me in the right direction please
mojo22 said:
1) When you need help with coding, what do you do? - what sites do you use? - How do you approach a solution?
Click to expand...
Click to collapse
If I do go for a site, I first use Google and anything relevant to what I'm already trying to do to solve the problem. If Google doesn't help, or the answers are too vague and I need something more specific then there's no better help out there than StackOverflow. If you don't know it, get to know it
Also, see the next question.
mojo22 said:
2) When do you approach you senior developer?
Click to expand...
Click to collapse
In the above scenario, after you've tried for yourself for a while at least. A senior dev will get narked if you keep hassling them without at least trying to help yourself!
mojo22 said:
3) How do you keep up to date ?
Click to expand...
Click to collapse
Learn to prioritise. There's nothing really more to say about that as it's a personal experience thing. Make sure you keep notes of every task you need to do and mark it done when it's done, no matter how trivial it seems. You get better at it the more you do it.
mojo22 said:
4) Give me an example of when you solved a difficult problem using PHP (or whataever language)
Basically many examples need to be given, not sure how to answer them.
Click to expand...
Click to collapse
This is obviously a very personal question that no-one can answer for you. I'm not gonna tell you about any projects I've worked on and had to deal with problems because there's no point. If you give it as an example they'll only ask you to expand on it and you won't be able to. Besides, it's all well and good trying to impress, but don't out-and-out lie at an interview. Basically, they just want to know that you *can* solve problems. Tell them something where you learnt something that you were able to use again - it shows a willingness to learn, the ability to understand there are things you need to learn, and that you can grow from such a situation.
Other than that, be confident and remember that they've got you in for an interview because they're already interested. Also, it's not a 1-way street. They might be arseholes that you'd never work for. The interview is as much for you as it is for them.
Not sure if any of that has been any help, but they're my honest answers anyway.
Good luck, and let us know how you get on
Archer said:
If I do go for a site, I first use Google and anything relevant to what I'm already trying to do to solve the problem. If Google doesn't help, or the answers are too vague and I need something more specific then there's no better help out there than StackOverflow. If you don't know it, get to know it
Click to expand...
Click to collapse
This was indeed my exact answer! For some reason that is seen as a 'junior' solution believe it or not! I'm so pissed cause that is what people do...even seniors.
Archer said:
Learn to prioritise. There's nothing really more to say about that as it's a personal experience thing. Make sure you keep notes of every task you need to do and mark it done when it's done, no matter how trivial it seems. You get better at it the more you do it.
Click to expand...
Click to collapse
The question was more regarding, how do you keep up to date with software/tech basically. For example Wordpress has been updated. How did you know about it etc.
There is a new CMS system, how do you find out about it? etc.
Archer said:
This is obviously a very personal question that no-one can answer for you. I'm not gonna tell you about any projects I've worked on and had to deal with
Click to expand...
Click to collapse
I did try answer this question as you stated, it is hard though cause there was like 12 of them, giving constant examples was a PITA. I deal with it every day yet I found it awkward to sit there and tell a stranger all about it and that I am capable of handling it....
Archer said:
Other than that, be confident and remember that they've got you in for an interview because they're already interested. Also, it's not a 1-way street. They might be arseholes that you'd never work for. The interview is as much for you as it is for them.
Not sure if any of that has been any help, but they're my honest answers anyway.
Good luck, and let us know how you get on
Click to expand...
Click to collapse
Thanks a lot for your answer It DOES help! :good:
I will try to learn these pointer so that they are second nature. I need to boost my confidence too it's just that I try not to be arrogant and it actually become a downhill after that.
I need to improve my answers and don't know where to ask!
mojo22 said:
The question was more regarding, how do you keep up to date with software/tech basically. For example Wordpress has been updated. How did you know about it etc.
There is a new CMS system, how do you find out about it? etc.
Click to expand...
Click to collapse
In that case, tech blogs with RSS feeds. I use iGoogle as my home page both at home and at work and it has different feeds on there for different bits of tech (web development, windows development, mobile development etc..)
Also, I think confidence is best when it's natural. If you've not got it yet then just keep getting better at what you're doing and you'll eventually get it. I've been doing it a long time now so only get a slight flutter of nerves at interviews. It's normally just a case of answering questions honestly and asking a couple of good ones back and I get the job. There's a lot of people out there doing development work, but not that many that have stuck it out and got actually good at it. Stick at it and you'll become a valuable commodity!
Archer said:
In that case, tech blogs with RSS feeds. I use iGoogle as my home page both at home and at work and it has different feeds on there for different bits of tech (web development, windows development, mobile development etc..)
Click to expand...
Click to collapse
Thanks, what sort of feeds are you subscribed too?
I think I need to do something like this. Also, is it productive for developers to be on G+? Is there a benefit?
You know the answer to the question about solving a problem was to go to the original source, like wordpress has their own codex/reference site. Php has theirs, jQuery and all that. I use those site but didn't even consider stating it in the interview.
Archer said:
Also, I think confidence is best when it's natural. If you've not got it yet then just keep getting better at what you're doing and you'll eventually get it. I've been doing it a long time now so only get a slight flutter of nerves at interviews. It's normally just a case of answering questions honestly and asking a couple of good ones back and I get the job. There's a lot of people out there doing development work, but not that many that have stuck it out and got actually good at it. Stick at it and you'll become a valuable commodity!
Click to expand...
Click to collapse
I plan to stick at it, since its putting food in my plate but I need to get better since like yesterday! Its been my life since January, really focusing on it but now trying to get a balance in my life back again.
Do you have any advice or pointers that you'd like to share from your experience please?
Thanks for your time Archer
Here's a list of the feeds I have on the "development" tab of my home page...
MSDN .Net Blog
Android Developers Blog
Visual C# News
Windows Phone Developers Blog
jQuery Blog
Just have a search for blogs that are relevant to your interests and most of them will either work as an RSS feed direct, or will have an RSS or Atom link, both of which are perfect for iGoogle (or other RSS readers).
I do use G+, but not in a professional capacity at all. To be honest though, I don't use any social networks for anything professional. I probably would if I had my own business and needed to market myself, but I don't so it's just not relevant.
As for pointers, the only thing I can really say is that when someone presents you with a challenge, look at it as an opportunity to enhance your knowledge and skill-set. I've seen many programmers respond with "Yeah, you can't do it like that. We'll do it like this instead." That's bull. There's virtually nothing you can't make your computer or website do, with just some imagination and perseverance. And it goes without saying, the more you enjoy it the better you're likely to be at it.
So what field are you going into? You said you've been doing it since January, but I expect you've been doing it a lot longer than that. Is this your first time developing as a career?
Thanks for those links, thought i'd share some that i've found, might be use to somebody:
http://www.codecademy.com/
http://railsforzombies.org/
http://teamtreehouse.com/
http://www.netmagazine.com/
http://sass-lang.com/
http://haml.info/
http://www.smashingmagazine.com/
http://net.tutsplus.com/
Archer said:
Just have a search for blogs that are relevant to your interests and most of them will either work as an RSS feed direct, or will have an RSS or Atom link, both of which are perfect for iGoogle (or other RSS readers).
Click to expand...
Click to collapse
Do you know what news just made it out Yesterday!! LOL
iGoogle will be removed ! in about 14 months I think...how bad is that, just when I was about to sign up and set myself up ahhhh :silly:
I use to use it but not for productive reasons.
Will need to hook myself up in some other way now.
mojo22 said:
Thanks for those links, thought i'd share some that i've found, might be use to somebody:
http://www.codecademy.com/
http://railsforzombies.org/
http://teamtreehouse.com/
http://www.netmagazine.com/
http://sass-lang.com/
http://haml.info/
http://www.smashingmagazine.com/
http://net.tutsplus.com/
Do you know what news just made it out Yesterday!! LOL
iGoogle will be removed ! in about 14 months I think...how bad is that, just when I was about to sign up and set myself up ahhhh :silly:
I use to use it but not for productive reasons.
Will need to hook myself up in some other way now.
Click to expand...
Click to collapse
I know - I saw it this morning when I opened my browser and immediately thought about this thread lol.
I'm gutted as it's the perfect home page for my needs. All their advice about getting weather widgets and looking on the Play Store for replacements has got nothing to do with having an RSS reader home page.
Thanks for the extra links - I'll have a look through them.
Just curious if there are any BMW guys that are devs here? This is SUPER random but since 2007 people have been trying to hack the Transmission Control Unit (TCU) on BMWs with very little success. It's becoming more interesting recently since more and more people are making 600+ hp and being able to control the line pressure will help hold the power. Figured I'd check to see since the best devs I know of are on here.
loudaccord said:
Just curious if there are any BMW guys that are devs here? This is SUPER random but since 2007 people have been trying to hack the Transmission Control Unit (TCU) on BMWs with very little success. It's becoming more interesting recently since more and more people are making 600+ hp and being able to control the line pressure will help hold the power. Figured I'd check to see since the best devs I know of are on here.
Click to expand...
Click to collapse
Bump.
What we need is someone to 'look very closely' at the rom files for the TCU. The rom files are protected with what I believe is 1024bit RSA signatures and we need to find a weakness in the bootloader or something in order to upload modified files. The 335i ECU had a security hole which allows for tricking the ECU into verifying the same signature twice, opening up the important part of the file for modifications. There were three sections, the BAF, PAF and DAF. BAF verified the PAF and BAF verified the DAF. We got the BAF to verify the PAF signature twice.
I think the TCU works on something of a similar system most likely, but nobody has really taken a good look. I think someone has cracked it once before for the M3 which uses the same TCU but different ROM files, but they aren't telling.
Bump. I'm sure there could be some good money raised too if a developer needs some incentive.
doublespaces said:
.
ROM files,
Click to expand...
Click to collapse
You said ROM, so we just need SU right?
I agree with nguyenvn - could end up with some $$$ as there is quite the demand.
At the moment the community at e90post is trying to find a way, but after months and a steep learning curve, we're stuck with the signature problem.... the thread is called "Transmission remap - Lets do it ourselves"
CyboLabs is Proud to present
Open Bump!
What is Open Bump?
Open Bump is a recreation of the closed source Bump project run by Codefire.
It will allow you to "sign" your boot images in the same way that Codefire does it, only you don't need an internet connection.
Click to expand...
Click to collapse
What Open Bump is NOT
lets get the obvious out the way. It won't axe murder you.
It is not a direct reverse engineer of Codefire's implementation. I found the key and iv on my own
The magic bytes were taken from Codefire's method however. If anyone has insight has to how they were found, please shout up.
It does NOT take your private data so you can use it. Tin hatters feel free to double check
Click to expand...
Click to collapse
How did I find this out
I had a general idea of what to look for, having heard that the exploit is related uicc, and is signed with a cipher.
Dropping the aboot image in to Ghex led me to finding a reference to "uiccsecurity". Using the bytes around this, I found a repeat of 32 bytes, which was followed by 16 bytes which formed something that resembled "SecureWallpaper".
As you can probably guess, this was mainly trail and error backed by common sense and logical thinking.
you can programmatically find these values with the python script:
Python:
aboot_name = './aboot.img'
aboot = open(aboot_name, 'rb').read()
key_end = aboot.index('uicc')
key_start = key_end - 32
key = aboot[key_start:key_end]
sec_key_start = aboot.index(key, key_end)
iv_start = sec_key_start + 32
iv_end = iv_start + 16
iv = aboot[iv_start:iv_end]
deciphering some already generated "signatures" proved that these were the key and iv used for "signing" the images.
Click to expand...
Click to collapse
What is coming next?
Inspecting the signatures that were originally uploaded and the ones that people can generate now, I found only one pattern.
The only similarities were the first 16 bytes of each "signature". I believe that only the magic number is needed, and none of the garbage that follows. This has been confirmed by the LG G3 dev from CyanogenMod, Invisiblek Done
Click to expand...
Click to collapse
How to use it?
I don't know how well this will run on anything other than linux, so for now.. I won't talk about it.
First, ensure you are using python2
then run the script
Code:
python2 open_bump.py "/path/to/boot.img"
flash the output, and enjoy
Click to expand...
Click to collapse
Thanks to:
Obviously, this wouldn't have been possible without Codefire since I wouldn't have known where to look, or that it was exploitable. And it was them that found the magic key.
Big thank you to @pulser_g2, who offered invaluable input on cryptography
Big thank you to @invisiblek, who I mercilessly kanged the main part of the image padding script from
note:
The original part of finding this information out was done on my own with guidance from pulser. The final results of this are posted above.
XDA:DevDB Information
Open_Bump, Tool/Utility for the LG G2
Contributors
cybojenix
Source Code: https://github.com/CyboLabs/Open_Bump
Version Information
Status: Beta
Created 2014-11-23
Last Updated 2014-11-23
Thanks, thats great news to have an open source tool here!
Do you see any chance that this could be integrated into CWM/TWRP so that the recovery rom could bump the boot/recovery images before flashing?
Because the boot/recovery.img has to be extracted from the ROM-zip before flashing, bumping it here would make sure that the phone can boot the image even with the newer bootloader.
This would be great for rom-devs since they don't have to change anything and it would even bump roms that are not maintained anymore.
g4rb4g3 said:
Thanks, thats great news to have an open source tool here!
Do you see any chance that this could be integrated into CWM/TWRP so that the recovery rom could bump the boot/recovery images before flashing?
Because the boot/recovery.img has to be extracted from the ROM-zip before flashing, bumping it here would make sure that the phone can boot the image even with the newer bootloader.
This would be great for rom-devs since they don't have to change anything and it would even bump roms that are not maintained anymore.
Click to expand...
Click to collapse
simple answer, this can be added to the build step really easily. See this commit
edit:
of course it may be useful to make a c program to do this.... I shall think on it.
Propably stupid question but i ll give a shot. Since we have the magic key we cant just skip the bump stuff totally? As i can understand, i dont wait official developer team join the bump train, thats why the damn development of the device is really back while the hardware is more than capable.
**To the OP i wish i could give you a thousand likes sir!
After getting the bootloader may be open G3؟؟
Why not use the original Bump?
Quote:
Codefire has been extremely vague about their method, obviously to prevent someone else replicating their results.
They are also storing people's data unnecessarily, and even adding some information relating to the user in to the "signature", possibly for tracking purposes.
As a result of it being an external service, many reputable teams (which won't be named unless they want to be) have said they will not use it, and would rather wait till LG releases the official unlock method.
Finally, Codefire have said the sha1sum of the boot image is required. Whether they knew or not, it is NOT required, and I will be changing this tool to compensate for that.
Click to expand...
Click to collapse
Happy you found a new exploit for us builders and devs, just feel like you kinda disrespected codefire team by accusing them of things before actually talking to them, seems a bit counter productive, this may piss them off and next device you can kiss new exploits by them good-bye,
just my 2 cents on the matter,
i'd remove the line...
in any case thank you very much, i will add it to my build script
---------- Post added at 08:34 PM ---------- Previous post was at 08:29 PM ----------
nikosblade said:
Propably stupid question but i ll give a shot. Since we have the magic key we cant just skip the bump stuff totally? As i can understand, i dont wait official developer team join the bump train, thats why the damn development of the device is really back while the hardware is more than capable.
**To the OP i wish i could give you a thousand likes sir!
Click to expand...
Click to collapse
"Bump stuff" has nothing to do with users, the devs and builders do the "bumping", and development of the G series has nothing to do with bumping, it just takes time to bring everything up
Good job cybojenix. (moderator edit: watch your language please)
Way to ruin a good thing.
I'm done with Android now. You can do it all now - since you obviously know better than me and everyone else.
I don't appreciate people trying to blackmail me - EnderBlue and Cybo both.
Don't believe me? http://hastebin.com/gulumezawi.txt
Good job guys. Way to ruin unlocks for all future LG phones.
If I *EVER* decide to come back, I will not be releasing anything as free or open source. You've sullied my impression of the open source community. Anything I do will be private releases from now on.
LG hadn't patched Bump, and they were going to leave it alone for us as long as we kept it as a service.
Well, looks like that's over and done with.
Bump included a hash of the image that you uploaded and a hash of your developer ID, and some random junk bytes. That's all. It's exactly what we said it was doing.
Well, hey, now you're free to take over and write roots and unlocks for all LG phones since you obviously have the talent to do so.
Let's be honest though, without my team's hard work that you stole, you wouldn't have been able to do any of this.
But you knew that, you're just a bottom feeder.
I don't get angry often at all- but congrats! You've succeeded in making me mad! Achievement unlocked!
I'm done. Your turn.
EDIT: Also, you know you can't open source your project either considering it contains 'stolen' LG crypto keys. https://github.com/CyboLabs/Open_Bump/issues/1
Have fun with that one.
thecubed said:
Good job cybojenix. (moderator edit: watch your language please)
Way to ruin a good thing.
I'm done with Android now. You can do it all now - since you obviously know better than me and everyone else.
I don't appreciate people trying to blackmail me - EnderBlue and Cybo both.
Don't believe me? http://hastebin.com/gulumezawi.txt
Good job guys. Way to ruin unlocks for all future LG phones.
If I *EVER* decide to come back, I will not be releasing anything as free or open source. You've sullied my impression of the open source community. Anything I do will be private releases from now on.
LG hadn't patched Bump, and they were going to leave it alone for us as long as we kept it as a service.
Well, looks like that's over and done with.
Bump included a hash of the image that you uploaded and a hash of your developer ID, and some random junk bytes. That's all. It's exactly what we said it was doing.
Well, hey, now you're free to take over and write roots and unlocks for all LG phones since you obviously have the talent to do so.
Let's be honest though, without my team's hard work that you stole, you wouldn't have been able to do any of this.
But you knew that, you're just a bottom feeder.
I don't get angry often at all- but congrats! You've succeeded in making me mad! Achievement unlocked!
I'm done. Your turn.
EDIT: Also, you know you can't open source your project either considering it contains 'stolen' LG crypto keys. https://github.com/CyboLabs/Open_Bump/issues/1
Have fun with that one.
Click to expand...
Click to collapse
First off, I didn't black mail. I gave your team notice about open sourcing it after reverse engineering the LG bootloader, not your "signatures".
It's your choice if you want to leave Android. Pinning the blame on me is somewhat childish though.
LG not patching Bump? That's a ludicrous statement, and even if it's true, it's good that this script got released. That way they know it should be patched, since having it a service clearly makes all the difference to them.
The hardest part of your teams work was getting the keys. If you know where to look, then it's easy enough to get engineering builds which I suspect contain the master magic bytes which you released.
I'm honestly shocked at your reaction though. I gave your team all the credit and stated which parts I did myself. The part about the service, and the deception was justified.
You tried to obscure something which by logic can't be obscured. That's how so many people realised they can just append the bytes to the image.
So which one would you rather have, LG not patching the exploit (as you so claim), and having an unknown number of people in china running around flashing custom boot images, or have everyone know how to do it to force LG to recheck their security measures.
What I did may not have been fantastic for the community, but what you did was insanely dangerous for the 90% of LG users.
All you did was make it so LG locks down the bootloader. And really 90% of users??? There probably isn't even 3 percent of the LG base on this website. All you did was screw everybody else over so you could have YOUR OFFICIAL CM.
As well people saying you didn't do enough and are still using there signing key as well as attacking it as well.
Way to think about yourself. You didn't care about the 90% or you wouldn't have done this.
I personally hope LG locks down the bootloader now. Go the way Samsung did and put an efuse on it and prevent downgrading. Hopefully all this happens with lollipop so you can screw over the rest of the LG crowd.
cybojenix said:
it's good that this script got released. That way they know it should be patched, since having it a service clearly makes all the difference to them.
Click to expand...
Click to collapse
"Hey let's potentially close all future LG unlocks and thus the chance to use CyanogenMod on future LG devices then. Just so I can get the current CM builds to say 'Official' and get a big pat on the back from the CM dudes who probably don't care about me too much."
Is that what went through your mind? That instant gratification and ignorance really shows who you are because that's exactly what I see from this OP of yours. Enjoy your 15 minutes of fame. You probably just killed a chance for years of it.
savoca said:
"Hey let's potentially close all future LG unlocks and thus the chance to use CyanogenMod on future LG devices then. Just so I can get the current CM builds to say 'Official' and get a big pat on the back from the CM dudes who probably don't care about me too much."
Is that what went through your mind? That instant gratification and ignorance really shows who you are because that's exactly what I see from this OP of yours. Enjoy your 15 minutes of fame. You probably just killed a chance for years of it.
Click to expand...
Click to collapse
Yes, because I've been such a massive supporter of cm. (sarcasm in case you didn't realise).
I started reverse engineering the bootloader for research purposes. If it was more complex than what I have said above, then I probably wouldn't have done this thread.
If it weren't for the fact that the magic stays the same across all signatures, then I also wouldn't have done this thread.
The response I got from them when I contacted them before releasing this was pretty much one of lack of care. So I went ahead and posted it.
I couldn't care less about fame. In fact there isn't really a lot I do care about, but I won't have the community alienated in to thinking the codefire service was such a great thing.
And once again, I refuse to take the blame for their team leaving Android.
whoppe862005 said:
All you did was make it so LG locks down the bootloader. And really 90% of users??? There probably isn't even 3 percent of the LG base on this website. All you did was screw everybody else over so you could have YOUR OFFICIAL CM.
As well people saying you didn't do enough and are still using there signing key as well as attacking it as well.
Way to think about yourself. You didn't care about the 90% or you wouldn't have done this.
I personally hope LG locks down the bootloader now. Go the way Samsung did and put an efuse on it and prevent downgrading. Hopefully all this happens with lollipop so you can screw over the rest of the LG crowd.
Click to expand...
Click to collapse
See my other post, I don't care about cm.
Fair enough, 3% are here, so this benefits the security of 97% of lg uses, if the claim that lg was alright with it running s a service is true.
Either way, I did nothing wrong
cybojenix said:
I couldn't care less about fame. In fact there isn't really a lot I do care about, but I won't have the community alienated in to thinking the codefire service was such a great thing.
Click to expand...
Click to collapse
So you only care about ruining good things, and other people's work?
Lol sorry I think I'm done with you. By cybo
savoca said:
So you only care about ruining good things, and other people's work?
Lol sorry I think I'm done with you. By cybo
Click to expand...
Click to collapse
Tbh I thought it would have been clear by now what I care about. Then again I may have been wrong about considering you one of the smart android people.
I care about learning and sharing knowledge. Which is precisely what this thread did.
cybojenix said:
See my other post, I don't care about cm.
Fair enough, 3% are here, so this benefits the security of 97% of lg uses, if the claim that lg was alright with it running s a service is true.
Either way, I did nothing wrong
Click to expand...
Click to collapse
I saw your PM to autoprime in IRC, it was "I am going to post what I found or you do, either way its going there", it wasn't lack of care, it was that you just stated a fact and left, it was a very rude unthoughtful thing to do, also don't try to BS everyone with your research, you and about 100 other people found the "magic keys", the problem is those "magic keys" were placed there by team codefire, you didn't find them, you found that they were using the key and copied their work, anything else you say is a lie, at least the other 99 people who found this had the basic respect to not post it unless the original team allowed it.
There was no reason to post this, their site was working fine, and if you used the API there was no problem of tracking since it just uses a UID to identify to the server.
at least admit you were wrong and say you are sorry, they won't fix anything but will gain you a minimum amount of respect
sooti said:
I saw your PM to autoprime in IRC, it was "I am going to post what I found or you do, either way its going there", it wasn't lack of care, it was that you just stated a fact and left, it was a very rude unthoughtful thing to do, also don't try to BS everyone with your research, you and about 100 other people found the "magic keys", the problem is those "magic keys" were placed there by team codefire, you didn't find them, you found that they were using the key and copied their work, anything else you say is a lie, at least the other 99 people who found this had the basic respect to not post it unless the original team allowed it.
There was no reason to post this, their site was working fine, and if you used the API there was no problem of tracking since it just uses a UID to identify to the server.
at least admit you were wrong and say you are sorry, they won't fix anything but will gain you a minimum amount of respect
Click to expand...
Click to collapse
Wrong, I stated that I was going to open source it, meaning the work of put in to getting the key and how it's used to get the original magic.
It was after that that I realised the final magic is the only thing needed. I actually worked out how to get the magic key a few hours ago, but since I don't have the right images, it won't be globally usable.
Fair enough, I apologise for pointing out the flaws in codefires service, and that they took it badly.
cybojenix said:
See my other post, I don't care about cm.
Fair enough, 3% are here, so this benefits the security of 97% of lg uses, if the claim that lg was alright with it running s a service is true.
Either way, I did nothing wrong
Click to expand...
Click to collapse
OK. If you did nothing wrong please do explain this
Enderblue-"well, would you be willing to open source it so we can have a official cm support?"
IoMonster-"so it would make storm already worse then what it is now? *paraphrasing for language
IoMonster-"no"
Seems like be said he didn't want it open source but you still went ahead any way.
http://hastebin.com/gulumezawi.txt
And then you saying your going to push it for vs985 even after he said no.
I don't know who Enderblue is, and I'm not affiliated with him..
whoppe862005 said:
OK. If you did nothing wrong please do explain this
Enderblue-"well, would you be willing to open source it so we can have a official cm support?"
IoMonster-"so it would make storm already worse then what it is now? *paraphrasing for language
IoMonster-"no"
Seems like be said he didn't want it open source but you still went ahead any way.
http://hastebin.com/gulumezawi.txt
And then you saying your going to push it for vs985 even after he said no.
Click to expand...
Click to collapse
cybojenix said:
I don't know who Enderblue is, and I'm not affiliated with him..
Click to expand...
Click to collapse
It isn't like it matters if you are or not. It says right in the chat he doesn't want it open sourced. I'm sure about 99% of the people on here have seen that already and I'm pretty sure you have seen it as well.
It states right in the chat he didn't want it open sourced.
whoppe862005 said:
It isn't like it matters if you are or not. It says right in the chat he doesn't want it open sourced. I'm sure about 99% of the people on here have seen that already and I'm pretty sure you have seen it as well.
It states right in the chat he didn't want it open sourced.
Click to expand...
Click to collapse
but the chat wasn't with me, so your point is null
autoprime had ample opportunity to say "don't do it yet", or "go talk to IO". but no, no objections were made.
Codefire treated the service like any other company would treat their unlocking service, so I treated them like a company and showed how it was done.