[DEV] r/w access to /system [SuperCID] - Desire Android Development

Hi folks!
My desire should arrive within a week or so. The past days i tried to collect as much data about getting full root-access with r/w access to /system.
We probably need a modified SSPL and a HardSPL. So far i've tried to contact cmonex, gauner1986 and haykuro to help us here.
So there is the first question to you (desire owners): Do we have jtag on the desire? Haykuro asked me; jtag is required otherwise testing is impossible.
Haykuro said:
you guys got jtag on it? If not it'd be brick heaven as we work on that
Click to expand...
Click to collapse
UPDATE 1:
We found one device with r/w-access to /system, but we don't know where the security flag is set, so we can't set it to "normal" phones.
Adam235 is currently analyzing the dumped files.
UPDATE 2:
ahmgsk provided his recovery. Playtime.
http://www.multiupload.com/XTRBWD6ML2
Update 3:
Nand was unlocked for the EVO 4G. Maybe this helps us.
Update 4:
New root method, which should work with any new 2.1 HTC Phone, but we still don't have full write access to /system:
http://forum.androidspin.com/showthread.php?p=13939#post13939

Well first off, good luck.
Don't we need schematics to know that or at the very least to rip apart the Desire to access motherboard and possibly find JTAG pins ?
Any less barbaric way? :<

sruon said:
Well first off, good luck.
Don't we need schematics to know that or at the very least to rip apart the Desire to access motherboard and possibly find JTAG pins ?
Any less barbaric way? :<
Click to expand...
Click to collapse
It seems this is the only way...

Anyone has high res picture of the desire MB ?

i6bazar said:
Anyone has high res picture of the desire MB ?
Click to expand...
Click to collapse
some one have posted it on modaco irc channel, but u need a full working xda-china account, after register i still have problem
http://www.xda-china.net/thread-52190-1-1.html

Here's some pictures of the Desire. Credits to original poster(百事可乐) of Xda-china !

Judging by the usb bricking showing the phones as qualcomm devices, and further by the mention of some Qualcomm development/debug tools mentioned on XDA, i'd say if anything, the JTAG connection is obtained via the USB port, and is activated by somehow switching the device to the debug mode.

alias_neo said:
Judging by the usb bricking showing the phones as qualcomm devices, and further by the mention of some Qualcomm development/debug tools mentioned on XDA, i'd say if anything, the JTAG connection is obtained via the USB port, and is activated by somehow switching the device to the debug mode.
Click to expand...
Click to collapse
It think also that this can be a possibility

Ahem...I think you mean joint first JD.

Thanks for the input so far.
Over at modaco someone got a phone with full r/w access to system.
Anyone got an idea which addresses we need to dump the spl with pmemdump?

Here is the link to modaco. The user is called maddoxus.
http://android.modaco.com/content-page/309939/usb-brick-rickrolled-b0rked-fixed/page/120/#
Kubino is working on dumping the spl!

allla said:
Here is the link to modaco. The user is called maddoxus.
http://android.modaco.com/content-page/309939/usb-brick-rickrolled-b0rked-fixed/page/120/#
Kubino is working on dumping the spl!
Click to expand...
Click to collapse
We have dumped hidden part (containing radio, spl, splash ....), Adam235 is analyzing the dump.

kubino99 said:
We have dumped hidden part (containing radio, spl, splash ....), Adam235 is analyzing the dump.
Click to expand...
Click to collapse
This is fantastic news, a proper root may be possible now

DocRambone said:
This is fantastic news, a proper root may be possible now
Click to expand...
Click to collapse
We don't know yet if we are able to write to hidden part, assuming it would be not that easy. ;-)

kubino99 said:
We don't know yet if we are able to write to hidden part, assuming it would be not that easy. ;-)
Click to expand...
Click to collapse
Maybe Adam235 or you should also try to contact haykuro or cmonex.

allla said:
Maybe Adam235 or you should also try to contact haykuro or cmonex.
Click to expand...
Click to collapse
We have found yesterday that superCID can be achieved by setting 2 flags in NAND. One we have successfully set, the other one seems like it's in radio section.

kubino99 said:
We have found yesterday that superCID can be achieved by setting 2 flags in NAND. One we have successfully set, the other one seems like it's in radio section.
Click to expand...
Click to collapse
And the second flag is not changeable?

brilliant news..would be good if info could be found as and when its happening-is ther an Irc channel floating about where announcements and info is shared?

dread123 said:
brilliant news..would be good if info could be found as and when its happening-is ther an Irc channel floating about where announcements and info is shared?
Click to expand...
Click to collapse
irc.freenode.org #modaco

allla said:
And the second flag is not changeable?
Click to expand...
Click to collapse
we don't know yet where it's exactly, it's not so easy to find. you can connect to modaco IRC and involve in development.

Related

[REF] diag test

5.05A
Just Download Elf.zip for ELFIN Service manual.pdf, u'll know how to use it.
911sniper said:
2008/08/18 Release V5.05A for ASP
Click to expand...
Click to collapse
Holy crap!
Thanks! now let's see if this helps with Gold Card users not being able to unbrick.
can u plz explain me what this actually is? am guessing its a diagnostic utility for the elf but how and when are we supposed to use it?
xmodinc said:
can u plz explain me what this actually is? am guessing its a diagnostic utility for the elf but how and when are we supposed to use it?
Click to expand...
Click to collapse
There's some information in the Herald Goldcard page (check the link from the Elfin Goldcard wiki).
I haven't tried it yet.. but maybe it does some cool stuff like bypassing Model ID check?
Are you able to get the SDO file as mentioned in the service manual (page 35)? I assume this is an all-Elf unbricking image.
The HTC website requires login to obtain it.
dsixda said:
Are you able to get the SDO file as mentioned in the service manual (page 35)? I assume this is an all-Elf unbricking image.
The HTC website requires login to obtain it.
Click to expand...
Click to collapse
Can't help for that...
Hi!
I test the file on my bricked Elfin.
Normal flashing via SD card is impossible because the bootloader doesn't start the flash process.
However the diagnostic file runs without any errors.
Only the last menue point of the screenshots "Change ColourID" isn't at my screen.
My ELFin is still bricked, maybe there is a special trick to unhide this menue entry
sandman01 said:
Only the last menue point of the screenshots "Change ColourID" isn't at my screen.
Click to expand...
Click to collapse
Same here.
sandman01 said:
Hi!
I test the file on my bricked Elfin.
Normal flashing via SD card is impossible because the bootloader doesn't start the flash process.
However the diagnostic file runs without any errors.
Only the last menue point of the screenshots "Change ColourID" isn't at my screen.
My ELFin is still bricked, maybe there is a special trick to unhide this menue entry
Click to expand...
Click to collapse
Try this version. Compatible with ELFIN & Add [Change Color ID].
911sniper said:
Try this version. Compatible with ELFIN & Add [Change Color ID].
Click to expand...
Click to collapse
Hey bro, what does changing Color ID do?
EDIT: Booting from elf0diag.nbh makes it go into a DIAG> prompt in MTTY. I don't know what commands to use though.
I think it's no use whit the MTTY. Many official tools are the elf0diag.nbh format.
911sniper said:
I think it's no use whit the MTTY. Many official tools are the elf0diag.nbh format.
Click to expand...
Click to collapse
When this one starts, it says "Please Input Password".
Note: You cannot start any ELF0DIAG.nbh from SD if you have a USPL installed; you have to flash a signed SPL first.
PLUS IT WILL HARD RESET YOUR DEVICE IMMEDIATELY AFTER IT STARTS UP, WITHOUT ASKING....
dsixda said:
When this one starts, it says "Please Input Password".
Note: You cannot start any ELF0DIAG.nbh from SD if you have a USPL installed; you have to flash a signed SPL first.
PLUS IT WILL HARD RESET YOUR DEVICE IMMEDIATELY AFTER IT STARTS UP, WITHOUT ASKING....
Click to expand...
Click to collapse
i never used these tools before...
can't help more...
Hi!
I testet the new diagnostic File, and now I can change the Color ID.
Black and Green are available.
Black change the MID to ELF030000
Green change the MID to ELF030001
The original MID can't be restored!?!?!?! (it was ELF030050)
Maybe there are more Versions of the diagnostic tool which change the device into other colors.
I make exactrly whatever is writen there but I get message:
Security level not cleared!
What I suppose to do to avoid this and to get into test?
Hi, dsixda!
Bro' I'm in trouble...
The device was in tricolor bootloader.
Untill i work with your onix 4.0 was OK! but I decide to go back. So I get in this state.
Around (few nautical miles) was not other with device like this... :-(
So please gi'me som instruction what I can to do?
I can download or recieve files. maybe is possible to recieve an image of Gold card unbricker? or something that allow to load from SD card or USB?
Write to me here or PM or on my e-mail.
malintzin said:
Hi, dsixda!
Bro' I'm in trouble...
The device was in tricolor bootloader.
Untill i work with your onix 4.0 was OK! but I decide to go back. So I get in this state.
Around (few nautical miles) was not other with device like this... :-(
So please gi'me som instruction what I can to do?
I can download or recieve files. maybe is possible to recieve an image of Gold card unbricker? or something that allow to load from SD card or USB?
Write to me here or PM or on my e-mail.
Click to expand...
Click to collapse
Why are you posting something off-topic here?
Post in the Onyx thread and mention your SPL/IPL.
sandman01 said:
Hi!
I testet the new diagnostic File, and now I can change the Color ID.
Black and Green are available.
Black change the MID to ELF030000
Green change the MID to ELF030001
The original MID can't be restored!?!?!?! (it was ELF030050)
Maybe there are more Versions of the diagnostic tool which change the device into other colors.
Click to expand...
Click to collapse
Really? I'm still at ELF010150 (I ran device_info.bat).. What does device_Info.bat say for you?
I dumped the USB port. (SnoopyPro + mtty)
There is also the change from ELF030050 to ELF030000
sandman01 said:
I dumped the USB port. (SnoopyPro + mtty)
There is also the change from ELF030050 to ELF030000
Click to expand...
Click to collapse
That's pretty cool.
Are there any shipped ROMs with this Model ID (so that you can use Gold Card)?

Shrinking the Extended ROM

Does anyone know how to shrink the extended ROM for the Wing/herald? I put a 2MB extended rom into my image and when I go to flash I get an invalid file size error.
toadlife said:
Does anyone know how to shrink the extended ROM for the Wing/herald? I put a 2MB extended rom into my image and when I go to flash I get an invalid file size error.
Click to expand...
Click to collapse
It's impossible. Unfortunately, our SPL's flash drive's driver only supports a 10MB one. Believe me, I've tried... and I got comfirmation from cmonex, a SPL expert. Unfortunately, there is nothing to be done, as the drivers are device specific. (Unless someone was somehow good enough to code a whole new driver for the Herald.)
ivanmmj said:
It's impossible. Unfortunately, our SPL's flash drive's driver only supports a 10MB one. Believe me, I've tried... and I got comfirmation from cmonex, a SPL expert. Unfortunately, there is nothing to be done, as the drivers are device specific. (Unless someone was somehow good enough to code a whole new driver for the Herald.)
Click to expand...
Click to collapse
Ugggh!
Thanks. I should have asked sooner!
toadlife said:
Ugggh!
Thanks. I should have asked sooner!
Click to expand...
Click to collapse
It's ok. I went through the same headache about 2 years ago. I just don't think I ever actually told anyone about it.

[FIXED] Downgrading HBOOT to 0.80 from 0.92

Ok so this issue has now been fixed, download the following file and place it on your SD card, start your phone up with, volume down + power and follow the instructions.
PB99IMG.zip
Thanks to everybody who tweeted this in.
o.o adamg - not really! Why did you do that?
That could not mean the end of opendesire and your sense roms could it?
Adam you should have known better, but still look at root method now on my gf's desire will post when I get root
ohh crap i was holding out hoping you'd have an update. hope someone figures it out for your sake if any
I will still be releasing, I have people on the team who test the roms and report the bug errors for me to fix
I will still be releasing, I have people on the team who test the roms and report the bug errors for me to fix
Click to expand...
Click to collapse
If need more help testing email me I'm global mod on villainrom.co.uk
Email [email protected]
Lots of experience
Cheers
Mike
any chance of getting a full root while were at it? it would be awesome to use metamorph
i'm sorry to hear that adam,
but i seriously lol ...... so sorry.
i love your roms.
i got the same problem
http://htcpedia.com/forum/showthread.php?t=2934
Prema999 said:
http://htcpedia.com/forum/showthread.php?t=2934
Click to expand...
Click to collapse
Not possible because you need root to place the flash-executable and the img into a read only directory.
Tried it too but you definitly need a method to execute some lines of code. adb push to /data is not possible because:
- adb is not working
- you can't get root to remount /data rw instead of ro.
Before i flash anything... How did you get there?? Flashed new 2.2 ROM? Or RADIO? or????
after we upgraded the official version throw htc live update
And this?
Isn't it possible to hex edit the version string to trick it into believing it is a newer version?
Prema999 said:
http://htcpedia.com/forum/showthread.php?t=2934
Click to expand...
Click to collapse
twicejr said:
Isn't it possible to hex edit the version string to trick it into believing it is a newer version?
Click to expand...
Click to collapse
that's not so easy, i think it is nearly impossible, you can't hex edit something on a read only phone (if we could edit sth we could flash the 0.80 hboot back), and hex-editing the whole RUU is - as i think - because of encryption and checksum checks etc impossible, too. we have to inject the flash software and the image - and this is impossible without rw / root.
wiggy2k said:
that's not so easy, i think it is nearly impossible, you can't hex edit something on a read only phone (if we could edit sth we could flash the 0.80 hboot back), and hex-editing the whole RUU is - as i think - because of encryption and checksum checks etc impossible, too. we have to inject the flash software and the image - and this is impossible without rw / root.
Click to expand...
Click to collapse
damn you htc
madman_cro said:
damn you htc
Click to expand...
Click to collapse
I think there WILL be a root-hack. it is just a cat and mouse game, htc is now in front, but the dev scene will be back soon with successful rooting i think. so dont fear and be patient
the only hardware which was not exploit-hacked for now is the playstation 3. (I hate not having otherOS anymore ...)
yes should they come with a new release because all the new htc devices will come with 0.92 at least
Adam, get on Freenode IRC and query me.
There's a few things I'd like to test with you
(IRC nick = IEF)
same problem impossible to downagrad hboot or install "RUU_Bravo_HTC_WWE_1.21.405.2_Radio_32.36.00.28U_4.06.00.02_2_release_126984_signed"

djrbliss releases AT&T S4 bootloader vuln.

I was wondering now that djrbliss has released the vulnerability for AT&T SGS4 do we have to wait for devs to do something with it? For Loki tools it seems as if you have to have a recovery already made. Will a current one work?
https://github.com/djrbliss/loki
this seems more like a user made htc dev, not what true s-off "bootloader unlocked" would be. non the less it should work fine. this probably wont touch the write enabled protection on the device. the only issues i see is until we are truly unlocked we will always have that "samsung custom" on out bootscreens.
spyz88 said:
I was wondering now that djrbliss has released the vulnerability for AT&T SGS4 do we have to wait for devs to do something with it? For Loki tools it seems as if you have to have a recovery already made. Will a current one work?
https://github.com/djrbliss/loki
Click to expand...
Click to collapse
He released his source code and such so we need to have someone compile it into a .bat or .exe so we can flash a custom recovery/rom
its linux only, and devs need to use/make teh loki_patch.
someone could make a windows/android app to interface with loki_flash for end users though...
shabbypenguin said:
its linux only, and devs need to use/make teh loki_patch.
someone could make a windows/android app to interface with loki_flash for end users though...
Click to expand...
Click to collapse
well i cant use it as i don't use linux lol.
Everyone - if you don't know what to do with those files without asking, don't try it yourself. There's already one in process in the development thread, and there will be cleaner and simpler ones out within just a few hours, I'm sure - with complete instructions.
Until you can nandroid the phone, this is not something to screw around with
fix-this! said:
well i cant use it as i don't use linux lol.
Click to expand...
Click to collapse
well if you dont use linux you cant make kernels or recoveries
luckily the loki_flash utility that is used to actually put the patched img onto the device works on android so it doenst matter what kind of computer you have
alacrify said:
Everyone - if you don't know what to do with those files without asking, don't try it yourself. There's already one in process in the development thread, and there will be cleaner and simpler ones out within just a few hours, I'm sure - with complete instructions.
Until you can nandroid the phone, this is not something to screw around with
Click to expand...
Click to collapse
A mod should put that up as a temp announcement in these forums. Seriously. Can't wait for the noobs to start crying in the Q&A area.... haha.
just means soon we will have bootloader unlocked.... patience
lorijuan1024 said:
just means soon we will have bootloader unlocked.... patience
Click to expand...
Click to collapse
i thought that's what this tool did. maybe this is why adam is still working on a bootloader unlock thats permanent. this should tide us over though.
Bjray said:
A mod should put that up as a temp announcement in these forums. Seriously. Can't wait for the noobs to start crying in the Q&A area.... haha.
Click to expand...
Click to collapse
Exactly, I have one phone booting to recovery now, no issues. YET! better know what you are doing, or you will have a serious paperweight.
I re-booted out of successful, so will see.
Update: nand backup was successful. Good start for us, just need the perm fix, but for now, it rocks, it was so nice to see the recovery screen. SWEET
TheAxman said:
Exactly, I have one phone booting to recovery now, no issues. YET! better know what you are doing, or you will have a serious paperweight.
I re-booted out of successful, so will see.
Click to expand...
Click to collapse
im not going to try the method yet, at least for a few days. i also see alot of soft bricked devices tonight.
fix-this! said:
i thought that's what this tool did. maybe this is why adam is still working on a bootloader unlock thats permanent. this should tide us over though.
Click to expand...
Click to collapse
what i meant was a tool that us people that aren't good with the programming language can use.
fix-this! said:
im not going to try the method yet, at least for a few days. i also see alot of soft bricked devices tonight.
Click to expand...
Click to collapse
Agreed, but I do have a jtag box here in hand, and there is no fix for that either, I might have one phone down soon..:
Incoming update from Samsung in 3....2....1.....
I flashed what shabbypenguin provided in his recovery thread and now have a working recovery on my ATT i337!!! :laugh::good::highfive::fingers-crossed:
Thanks to djrbliss for his awesome work!
mr_blanket said:
Incoming update from Samsung in 3....2....1.....
Click to expand...
Click to collapse
simple solution is to not take the OTA. but yes, i see one coming to.
fix-this! said:
simple solution is to not take the OTA. but yes, i see one coming to.
Click to expand...
Click to collapse
Yes, everyone needs to keep the OTA .apk's frozen from now on. Or use a custom rom that doesn't have them.
mattdm said:
Yes, everyone needs to keep the OTA .apk's frozen from now on. Or use a custom rom that doesn't have them.
Click to expand...
Click to collapse
hopefully adam can get us a more permanent solution. but props to dan for his tool.
Couldn't be happier after I get home from watching the hangover I get to unlock this bad boy
Sent from my SAMSUNG-SGH-I337 using Tapatalk 2

General Think I may have something about token generation. S908U US variant

I'm potentially just unaware, but I came across EXE files that are like a modified version of ODIN, look completely different from ODIN and google has provided zero information on even the title of the program. I believe it just straight up compiles the steady.bin from nothing but the DID and flashes it to the device unlocking it. It's an S908U. There is no option to insert TARs or anything. Attached is an image.
hello
i think it's another version of ThorOneClick for linux ( tizen )
yakapa40 said:
hello
i think it's another version of ThorOneClick for linux ( tizen )
View attachment 5638187
Click to expand...
Click to collapse
But this one unlocked bootloader on a S908U for a publicly locked carrier, thats gotta be significant for someone.. i tried decompiling the exe but got nowhere.. I saw snippets of "steady" in the disassembly so i know its built in i just dont know if its some sort of universal key i suppose for unlocking these phones
throwaway1258 said:
But this one unlocked bootloader on a S908U for a publicly locked carrier, thats gotta be significant for someone.. i tried decompiling the exe but got nowhere.. I saw snippets of "steady" in the disassembly so i know its built in i just dont know if its some sort of universal key i suppose for unlocking these phones
Click to expand...
Click to collapse
Where's the file?
wolfu11 said:
Where's the file?
Click to expand...
Click to collapse
Bit skeptical on uploading due to where/how it was obtained, because Samsung will likely not enjoy it being public. But I just used one up, the odin logs are attached. Id prefer to send it to the guys that work on the unlocking for the public and not for a shady pay site.
Also I think it's an ENG token
anyway you can DM me the file location?
apatcas said:
anyway you can DM me the file location?
Click to expand...
Click to collapse
I'm combing through the assembly in Ghidra and there's too much PII in there, and confirmed it is an engineering token. Can't risk it. Maybe I can extract the disassembly/decompile and upload the functions that handle the imaging and encryption, unless someone reputable in unlocking hops in the thread and can help me out.
This is just an exe combine odin and your token and it will flash the token that was generated for your device only.
So its not a token generator.
afaneh92 said:
This is just an exe combine odin and your token and it will flash the token that was generated for your device only.
So its not a token generator.
Click to expand...
Click to collapse
Yes I know it generates the token, but I want to know if it can be reverse engineered to change the DID and other device specific variables
throwaway1258 said:
Yes I know it generates the token, but I want to know if it can be reverse engineered to change the DID and other device specific variables
Click to expand...
Click to collapse
Contact me
throwaway1258 said:
Yes I know it generates the token, but I want to know if it can be reverse engineered to change the DID and other device specific variables
Click to expand...
Click to collapse
The guy you need too contact is @afaneh92
He is trustworthy and one of the most knowledgeable people around plus. I work with him all the time.
jrkruse said:
The guy you need too contact is @afaneh92
He is trustworthy and one of the most knowledgeable people around plus. I work with him all the time.
Click to expand...
Click to collapse
Confirmed. Knows his stuff and built Twrp for my device S22U Exy
Totally trustworthy
Following. Hopefully something comes of this...
oncestruck said:
Following. Hopefully something comes of this...
Click to expand...
Click to collapse
It might, but once @afaneh92 gets ahold of it, it's gonna cost us all a sht ton of $ to use it.
bs3pro said:
It might, but once @afaneh92 gets ahold of it, it's gonna cost us all a sht ton of $ to use it.
Click to expand...
Click to collapse
I'd pay for someone's work. I don't know what you mean by assuming one would charge an exorbitant fee.
phr0zen said:
I'd pay for someone's work. I don't know what you mean by assuming one would charge an exorbitant fee.
Click to expand...
Click to collapse
Someone should release it for free, and people should be able to donate. Not everyone has $ laying around.
bs3pro said:
Someone should release it for free, and people should be able to donate. Not everyone has $ laying around.
Click to expand...
Click to collapse
Be that as it may, you assumed there would be an inherent inflated cost based solely on the possibility of one particular individual's work. Who knows if it's even possible? I sure as hell don't. But I am saying that I would donate to the cause. I'm sure @afaneh92, along with anyone else would like a coffee, or a beer or 3.
If anyone knows how to decrypt hex signature, feel free to have a crack at it
Upload it I'll give it a go

Categories

Resources