I would normally coordinate this with some of the devs on IRC but I don't have access to it at the moment.
Obviously a lot of work is going into a Gingerbread kernel bringup from the posted Samsung sources, and last I heard on IRC before leaving my house was that some devs were having issues getting kernels to boot.
Now, the chip on our phones that handles USB has a UART mode, where the data pins on the USB connector get routed to a serial port instead of to USB.
I have a bunch of MicroUSB breakout adapters on order from Sparkfun now (http://www.sparkfun.com/products/10031) and will be picking up a few 150k precision resistors (150k is the value for UART mode) on Saturday most likely.
My questions:
1) Will this be useful to the other kernel devs for debugging?
2) Do our kernels even output anything to the serial port that the FSA9280 routes to, or is this bootloader-only?
Obviously the specific answer for our device is unknown since I don't think anyone has tried it, but has putting a 150k resistor on ID resulted in being able to get the kernel console on the serial port on GalaxyS devices? If it works on them it should work on ours.
No clue unless you try. ;-) Would make things easier if the kernel did get compiled with serial console though I would imagine.
LinuxBozo said:
No clue unless you try. ;-) Would make things easier if the kernel did get compiled with serial console though I would imagine.
Click to expand...
Click to collapse
I'll start working this once the parts arrive - will see how the Froyo kernels behave then we can try to migrate it to GB if anyone is still having issues then.
Of course it could all become OBE.
Entropy512 said:
I would normally coordinate this with some of the devs on IRC but I don't have access to it at the moment.
Obviously a lot of work is going into a Gingerbread kernel bringup from the posted Samsung sources, and last I heard on IRC before leaving my house was that some devs were having issues getting kernels to boot.
Now, the chip on our phones that handles USB has a UART mode, where the data pins on the USB connector get routed to a serial port instead of to USB.
I have a bunch of MicroUSB breakout adapters on order from Sparkfun now (http://www.sparkfun.com/products/10031) and will be picking up a few 150k precision resistors (150k is the value for UART mode) on Saturday most likely.
My questions:
1) Will this be useful to the other kernel devs for debugging?
2) Do our kernels even output anything to the serial port that the FSA9280 routes to, or is this bootloader-only?
Obviously the specific answer for our device is unknown since I don't think anyone has tried it, but has putting a 150k resistor on ID resulted in being able to get the kernel console on the serial port on GalaxyS devices? If it works on them it should work on ours.
Click to expand...
Click to collapse
Ithink it would be pretty cool if you could break out to a proprietary apple connector. house it so you can adapt to any music dock that normally uses an ipod or iphone. That way we have integrated power and music out.
adam outler used the uart in a project and was hoping to find a way to unbrick without a jtag even with bad bootloaders. i have an arduino board like the one he used and could build his jig, i dont know much about kernels or c programming but if i can help figure anything out or if adams work (i havent kept up) was successful and we want an unbrick service for botched bootloaders and param.ifs let me know.
I have a Verizon Samsung Galaxy S3 model SCH-I535 and I was having an issue with the charge port causing a desktop mode to pop up when plugged into my truck. This was effectively preventing the phone from charging because the screen would stay on. I read on a forum that perhaps the pin was bent down slightly closing a circuit that was only intended for certain after-market peripherals like a desktop dock. I noticed that it was in fact bent down, and I tried to gently bring it up, only to break the piece altogether. Now it won't charge or recognize any usb connections. I've begun externally charging batteries and swapping them in the morning and evening, but this is a real inconvenience, especially when I think it could just be replaced. I believe it's within my skills to solder the micro usb port, however I can't find a verifiable source for the part. I'm not under warranty, as I've already replaced the screen once. There's a part on this website called witrigs (unable to post url) that claims to be appropriate, but there isn't much information there. Can someone verify that this part would, in fact, work with my phone, or is there perhaps a better place to find parts?
From what I have read the gs3 needs a hot air gun to desolder the plug not exceptionally difficult but does require the right tools and there is several things close to the plug that you need to worry about.
I think I'm capable of the replacement, but is there anything specific to the micro usb for this device that would prevent a more generic part from being used?
Hey fellow developers,
I'm currently trying to get UART working on the Note 10.1 but I'm only partly successful. I found this thread which describes the UART setup for the Galaxy tab which also uses a 30pin connector. So I took one of my cables that were broken, took it apart and soldered it the way it was described.
Now when I power up the tablet, I get Samsung S-Boot output but when the normal kernel takes over there is nothing. After trying different resistance values, I couldn't find any difference in behaviour, the S-Boot output is even printed if there is no resistor hooked up at all. I tried finding code related to this but to no avail. Maybe I missed something or is it possible that the kernel doesn't actually support UART output and it's only S-Boot that prints stuff by default?
Kind Regards
Don
I'm in way over my head on this, but am on a quest with the Verizon note5. In my quest I hit on UART, and have been reading everything I can find. According to this guide you may be able to get a sboot terminal by mashing the enter key 4 times.
https://hexdetective.blogspot.com/2017/02/exploiting-android-s-boot-getting.html?m=1
Currently running: Fire OS 7.3.2.1 - Fire HD 10 (2021 - 11th gen)
I think anything is possible. I don't want to hear that Fire OS 7 is "unrootable". Nonsense!
I also don't see many threads for this generation of the device on here, which is why I opted to make this thread.
But seriously, I want to try and tackle this crazy complex puzzle. Fire Toolbox is amazing and really improves the performance of the tablet. But I just want more. Would anyone have any tips on how to start brainstorming and planning how to find any vulnerabilities within the device/software? Are there certain files on the device I have to look in? Maybe running some scripts or doing some programming? I really wanna see what I can contribute but I just have no clue where to start.
I guess it would be helpful to mention what my personal end goal with this tablet is:
Unlock bootloader
Root
Install custom roms (upgrading Android version)
Any feedback/ideas/brainstorming/thoughts of any kind would be much appreciated!
How about HD8 plus latest edition android 11 12th gen? Google Play having issues installing. Tried manually as well as fire toolbox 29.2.
nsfxpython said:
Currently running: Fire OS 7.3.2.1 - Fire HD 10 (2021 - 11th gen)
I think anything is possible. I don't want to hear that Fire OS 7 is "unrootable". Nonsense!
I also don't see many threads for this generation of the device on here, which is why I opted to make this thread.
But seriously, I want to try and tackle this crazy complex puzzle. Fire Toolbox is amazing and really improves the performance of the tablet. But I just want more. Would anyone have any tips on how to start brainstorming and planning how to find any vulnerabilities within the device/software? Are there certain files on the device I have to look in? Maybe running some scripts or doing some programming? I really wanna see what I can contribute but I just have no clue where to start.
I guess it would be helpful to mention what my personal end goal with this tablet is:
Unlock bootloader
Root
Install custom roms (upgrading Android version)
Any feedback/ideas/brainstorming/thoughts of any kind would be much appreciated!
Click to expand...
Click to collapse
Sorry to burst your bubble of illusion, but it's practically impossible. The latest unlocking methods (amonet, kamakiri) exploited bootrom to achieve arbitrary RW of the eMMC. However, as you may well know, Amazon has disabled bootrom on their newer devices (or even on the 'older' ones, with OTA updates - that's called blowing fuses -). Considering the conditions presented, the chances of unlocking the new devices are minimal if not nil.
If you really want to do some research to find something useful, find an exploit in the preloader, which is still accessible. Another thing that could be useful is a root shell (even if it is temporary). That requires you to find some exploit that fits your kernel (which is probably new, considering the Android version).
That said, don't expect this to be a piece of cake.
A temp root shell should be possible via the waiting game. We could watch the still opensource upstream android OS code for possible kernel exploits. Then just find a way to run a found exploit in a fire hd before amazon rolls a patch OTA. Fire OS is highly customized, but obviously is still android in there somewhere.
The Android platform certs got leaked somewhere and are being used to sign malware as per this issue on the chromium bug tracker: https://bugs.chromium.org/p/apvi/issues/detail?id=100
It might be possible to spoof an application's signature to be that of the android uid using whatever those certs are to gain root access. Probably just grasping at straws here though.
loocool2 said:
The Android platform certs got leaked somewhere and are being used to sign malware as per this issue on the chromium bug tracker: https://bugs.chromium.org/p/apvi/issues/detail?id=100
It might be possible to spoof an application's signature to be that of the android uid using whatever those certs are to gain root access. Probably just grasping at straws here though.
Click to expand...
Click to collapse
Smart idea! MediaTek is also affected.
Now only a public key-list is needed to run apps on system level.
Fire OS 8.3.1.1 gives elevated access to system apps via USB debugging; see here. likely another Amazon mistake - too bad its never been released on Fire HD 10.
Isn't there something about taking it apart and shorting the motherboard somewhere like the old psp battery.
Brettroth said:
Isn't there something about taking it apart and shorting the motherboard somewhere like the old psp battery.
Click to expand...
Click to collapse
Unlikely, i assume the motherboard got updated with last iterration of the 11th gen fire lineup
I don’t know the significance of this, but I was playing around with some old equipment that I had laying around and ran across something interesting. I don’t have the time or knowledge to do anything with it however…
I plugged one of these usbc converted into my HD 8 2020 and 2022. https://a.co/d/bRtoBPw
I then plugged in a uart cable that I had built for a different project. Which is essentially the nexus debug cable with a male USB end instead of a headphone jack. ( https://wiki.postmarketos.org/wiki/File:Nexus-debug-cable.png )
I did try the headphone jack, but there is no output from there.
Looking at the output during boot up it sure looks like uart to me, I can’t seem to get the baud right - I tried everything that minicom has without success.
Long story short, I’m pretty sure there’s uart hidden in the USB c connector on the HD 8 2020 and 2022 devices.
Reverse-anastomosis said:
I don’t know the significance of this, but I was playing around with some old equipment that I had laying around and ran across something interesting. I don’t have the time or knowledge to do anything with it however…
I plugged one of these usbc converted into my HD 8 2020 and 2022. https://a.co/d/bRtoBPw
I then plugged in a uart cable that I had built for a different project. Which is essentially the nexus debug cable with a male USB end instead of a headphone jack. ( https://wiki.postmarketos.org/wiki/File:Nexus-debug-cable.png )
I did try the headphone jack, but there is no output from there.
Looking at the output during boot up it sure looks like uart to me, I can’t seem to get the baud right - I tried everything that minicom has without success.
Long story short, I’m pretty sure there’s uart hidden in the USB c connector on the HD 8 2020 and 2022 devices.
Click to expand...
Click to collapse
Update:
I think that what I was seeing was probably just garbage from the USB OTG adapter that I was using. That would explain why I couldn't get the baud rate right.
I built a cable that should have worked the same way, without using the adapter, and got nothing back from the device.
MTK devices usually don't use the ID resistor method on their debug cables, but I did try that as well with various resistances - without success.
If I could figure out what multiplexer these devices use, I might be able to get somewhere, but as it stands, I think it is a dead end. If they left UART open on the device, it could lead to a root solution - and it doesn't appear that this has been investigated.
The boards on both the 2020 and the 2022 have pads marked RXD and TXD, I tried connecting directly to these without any success, so they must be turned off. I attempted to turn UART on via fastboot, but any OEM commands I tried were locked (not surprising)
If anyone has a USB C breakout like what is used for Google debugging; it would be interesting to see if it did anything. I don't have one, and don't really need one.
If anyone has any other ideas, I am willing to use my devices for testing. The 2020 model is pretty beat up by my kids, and it won't break my heart if I kill it. I got a pretty rocking deal on the 2022 model, I'd rather not brick it, but am willing to take some risk.
Reverse-anastomosis said:
Update:
I think that what I was seeing was probably just garbage from the USB OTG adapter that I was using. That would explain why I couldn't get the baud rate right.
I built a cable that should have worked the same way, without using the adapter, and got nothing back from the device.
MTK devices usually don't use the ID resistor method on their debug cables, but I did try that as well with various resistances - without success.
If I could figure out what multiplexer these devices use, I might be able to get somewhere, but as it stands, I think it is a dead end. If they left UART open on the device, it could lead to a root solution - and it doesn't appear that this has been investigated.
The boards on both the 2020 and the 2022 have pads marked RXD and TXD, I tried connecting directly to these without any success, so they must be turned off. I attempted to turn UART on via fastboot, but any OEM commands I tried were locked (not surprising)
If anyone has a USB C breakout like what is used for Google debugging; it would be interesting to see if it did anything. I don't have one, and don't really need one.
If anyone has any other ideas, I am willing to use my devices for testing. The 2020 model is pretty beat up by my kids, and it won't break my heart if I kill it. I got a pretty rocking deal on the 2022 model, I'd rather not brick it, but am willing to take some risk.
Click to expand...
Click to collapse
Double Update:
I couldn't accept my failure - so I decided I had to sacrifice the 2020. I tore into it - and spent an unreasonable amount of time getting to know it with my multimeter. I stuck my probe where few have probed before!
I found an area around the main chip with an interesting bit of shielding and though to myself - you sneaky old amazon...what are you hiding here?
I found a nice little row of 4 pins...which have a hardwire connection to the USB-C port - on pin #3, or #6 depending on which direction you count from - and ground.
I am now 100% certain that the UART to USBC connection exists. I don't own a cable that outputs that pin - and unpowered my USBC-USBA OTG adapter does not output that pin - I assume that when it is powered with the resistors there must be enough crossover somewhere to see that a signal exists, it is just too corrupted to understand by the time it hits my serial/USB adapter.
I did throw my multimeter on the visible TXD testpoint on another 2020 device, and it did show some rapidly shifting voltage up to 1.8 volts during boot - so I assume I must have damaged the other one when I was soldering my jumper to it, so it must be outputting something. Also, there are RX0 and TX0 on the back of the logic board - when I get my replacement testing board I will investigate those for anything interesting before I fry it with random components(see below)
I plan on purchasing a USBC cable with all of the pin wires, and hooking it up to see if we can get rx and tx - Maybe Console? I can't tell for sure, but it looks like the same row of pins are present on the 2022 model, so this probably translates to that device as well.
Also, of interest, there is a post here on XDA of a person who got their hands on an onyx development device. There is a small component present on that device, as well as the one in the FCC auth photos, that is conspicuously missing on our production devices - It appears that it was soldered on, and then removed(on the production devices). There is also a cable connector that has been removed - I couldn't find anything too interesting, other than some oscillating voltage up to 1.8V, so maybe another UART? This applies to the 2022 model as well.
As near as I can tell - the missing component that I am interested in, is a diode, although I can't identify what kind exactly. The pins don't ohm out to anywhere that I can tell, but the upper pin does draw down my multimeter - as if it is grounded, but the pin is not ground. The lower pin seems to be leaking just a little bit of power - up to around 1.8 volts before resetting.
Just thought vomiting here - but I wonder if this component is essential to accessing BROM and bypassing the efuses that prevent one from entering BROM via short (Which BTW I am pretty sure I shorted every test point on the logic board, some do nothing, some return you to preloader, and some just completely prevent powerup (like CLK). I didn't find any that caused a brick that wasn't fixed by battery disconnect.
I plan on purchasing another 2020 board to test my diode theory on. If anyone has a vulnerable 2018 HD8 and a non-vulnerable 2018 HD8 it would be interesting to see if we could find the same cluster of components on their logic boards to compare.
Part of the reason that I am so interested in the missing diode, is that this component cluster appears largely unchanged from the 2020 model to the 2022 model of the HD8, and if it does lead somewhere interesting, it would be a pretty easy hardware mod - as far as such things go.
I attached some images below with the interesting stuff circled.
Reverse-anastomosis said:
Double Update:
I couldn't accept my failure - so I decided I had to sacrifice the 2020. I tore into it - and spent an unreasonable amount of time getting to know it with my multimeter. I stuck my probe where few have probed before!
I found an area around the main chip with an interesting bit of shielding and though to myself - you sneaky old amazon...what are you hiding here?
I found a nice little row of 4 pins...which have a hardwire connection to the USB-C port - on pin #3, or #6 depending on which direction you count from - and ground.
I am now 100% certain that the UART to USBC connection exists. I don't own a cable that outputs that pin - and unpowered my USBC-USBA OTG adapter does not output that pin - I assume that when it is powered with the resistors there must be enough crossover somewhere to see that a signal exists, it is just too corrupted to understand by the time it hits my serial/USB adapter.
I did throw my multimeter on the visible TXD testpoint on another 2020 device, and it did show some rapidly shifting voltage up to 1.8 volts during boot - so I assume I must have damaged the other one when I was soldering my jumper to it, so it must be outputting something. Also, there are RX0 and TX0 on the back of the logic board - when I get my replacement testing board I will investigate those for anything interesting before I fry it with random components(see below)
I plan on purchasing a USBC cable with all of the pin wires, and hooking it up to see if we can get rx and tx - Maybe Console? I can't tell for sure, but it looks like the same row of pins are present on the 2022 model, so this probably translates to that device as well.
Also, of interest, there is a post here on XDA of a person who got their hands on an onyx development device. There is a small component present on that device, as well as the one in the FCC auth photos, that is conspicuously missing on our production devices - It appears that it was soldered on, and then removed(on the production devices). There is also a cable connector that has been removed - I couldn't find anything too interesting, other than some oscillating voltage up to 1.8V, so maybe another UART? This applies to the 2022 model as well.
As near as I can tell - the missing component that I am interested in, is a diode, although I can't identify what kind exactly. The pins don't ohm out to anywhere that I can tell, but the upper pin does draw down my multimeter - as if it is grounded, but the pin is not ground. The lower pin seems to be leaking just a little bit of power - up to around 1.8 volts before resetting.
Just thought vomiting here - but I wonder if this component is essential to accessing BROM and bypassing the efuses that prevent one from entering BROM via short (Which BTW I am pretty sure I shorted every test point on the logic board, some do nothing, some return you to preloader, and some just completely prevent powerup (like CLK). I didn't find any that caused a brick that wasn't fixed by battery disconnect.
I plan on purchasing another 2020 board to test my diode theory on. If anyone has a vulnerable 2018 HD8 and a non-vulnerable 2018 HD8 it would be interesting to see if we could find the same cluster of components on their logic boards to compare.
Part of the reason that I am so interested in the missing diode, is that this component cluster appears largely unchanged from the 2020 model to the 2022 model of the HD8, and if it does lead somewhere interesting, it would be a pretty easy hardware mod - as far as such things go.
I attached some images below with the interesting stuff circled.
Click to expand...
Click to collapse
Wow, any more updates to this? I don't know much about finding these kinds of exploits via hardware but this "uart" that you mention is able to possibly give root access? I'm intrigued....
nsfxpython said:
Wow, any more updates to this? I don't know much about finding these kinds of exploits via hardware but this "uart" that you mention is able to possibly give root access? I'm intrigued....
Click to expand...
Click to collapse
Not really - you can follow my progress over on my other thread. I am going to post an update today.
Hardware UART information
I have been playing with my 2018, 2020 and 2022 HD 8's, and made a few interesting discoveries. I had been posting in another thread, but it seems to be pretty dead, and I think this stuff is interesting enough to warrant its own thread. 1...
forum.xda-developers.com