Database Info

[Q] How to retrieve image from sql server into window phone?

I had error ArgumentNullException was unhandled when run my coding.
Code:
public class ImageConverter : IValueConverter
{
public object Convert(object value, Type targetType, object parameter, System.Globalization.CultureInfo culture)
{
byte[] buffer = value as byte[];
[B]Stream memStream = new MemoryStream(buffer);[/B]
WriteableBitmap wbimg = PictureDecoder.DecodeJpeg(memStream);
return wbimg;
}
public object ConvertBack(object value, Type targetType, object parameter, System.Globalization.CultureInfo culture)
{
return null;
}
}
The bold line is where the error occur..
Any solution to this error or any other suggestion for me to retrieve image into window phone? Thank you.

Well...
Well, I guess you enter your method with value as null. Your code snippet does of course not show just why value might be null.
Pardon me this innocent question: Why don't you just take the whole thing into the debugger and watch what happens?

Either value is null, or value is not a byte[].
It would be better to just cast it to byte[] instead. That way you would get a different error if it's not a byte[], than if it's null. This would be of some diagnostic value but as another poster mentioned your best bet is to run this in a debugger to see what's going on.

save the image name in database,

Sorry, may i know how to test it in debugger mode?Thank you.

Too early?
hueikar said:
Sorry, may i know how to test it in debugger mode?Thank you.
Click to expand...
Click to collapse
I don't want to offend you, and of course you are free to do whatever you like, but I think it's too early for you to build a full and maybe complicated WP7 app. Do you know the saying "First you have to learn to crawl before you can try to walk"? I think you should learn the fundamentals of using Visual Studio and programming for WP7 from some nice book or online tutorial first.
Even working with complete code samples, as you seem to try, does not help, if you ask me. At least it always was like that when I tried it myself: If in the past I tried to get some code samples to work that I did not understand myself, the first trivial problem already stopped me dead in my tracks. I only had success after my knowledge had progressed to a point where I could read and understand the samples.

Sorry. Yes. I admit that i am too rush to do a win7 app. This is my first time doing window phone app and so with the language c#. But i kinda run out of time to do learning..My first mistake is choose wrong title to do window phone app as my final year project..Luckily so far i manage to do the CRUD for the app.but this is the most difficult problem i am facing now..

Well, in answer to your question, Visual Studio has a Debug button. Select whether you want to debug on the emulator or on your phone (the latter requires that the phone be connected to the PC and Zune be running) and give it a try. If you want to use the media library while debugging, you'll need to use the WPConnect program (it's part of the dev tools, I believe) which allows you to close Zune after you establish the connection, thus unlocking the media library on the phone.

Any working 4G toggles yet?

I gotta say I'm a bit surprised by the lack of ambition to get a working 4G toggle. Every phone I've had, there has always been a demand to get a working 4G toggle. Has anyone heard of anything about this? Luckily this phone gets good battery life so its not that big of a deal but it'd be nice to have for those times when your trying to really save battery.
I know of the app Phone Info, but its gotten a lot of negative views around here about losing data with it so I've avoided it since.

rehpyc has been working on one. I've sent him some info that I discovered trying to find the right system call to switch between 3g and 4g.
Rather than simply be disappointed, would you like to help?
Sent from my SCH-I535 using xda premium
I'm trying to find where the settings (which can be accessed in the phone info -> Device Information area) are stored.
-Using dex2jar and jdgui, I decompiled the phone info app into java source (.java) files. It's a really small app that just calls the "TestingSettings" functionality of the SecSettings.apk
-We can access the "TestingSettings" by simply running "am start com.android.settings/.TestingSettings" in terminal. It essentially does the exact same thing as launching the Phone Info app.
-Using dex2jar and jdgui, I decompiled the SecSettings.apk into java source (.java) files. Digging through the files, I found that the RadioInfo class. This class contains a String array mPreferredNetworkLabels which lists all the settings in the spinner we choose the network type (CDMA Auto (PRL), LTE/CDMA/EvDo, etc). This class seems to provide functionality for listening to GUI changes on the "PreferredNetworkType" spinner. Not exactly sure what it does from there, but hopefully it can be traced down to some methods that either store the settings into a file or to a SQLite database.
In dex2jar -> JD gui for SecSettings.apk, Radioinfo class has
public RadioInfo()
{
String[] arrayOfString = new String[14];
arrayOfString[0] = "WCDMA preferred";
arrayOfString[1] = "GSM only";
arrayOfString[2] = "WCDMA only";
arrayOfString[3] = "GSM auto (PRL)";
arrayOfString[4] = "CDMA auto (PRL)";
arrayOfString[5] = "CDMA only";
arrayOfString[6] = "EvDo only";
arrayOfString[7] = "GSM/CDMA auto (PRL)";
arrayOfString[8] = "LTE/CDMA/EvDo";
arrayOfString[9] = "LTE/GSM/WCDMA";
arrayOfString[10] = "Global";
arrayOfString[11] = "LTE only";
arrayOfString[12] = "LTE/WCDMA";
arrayOfString[13] = "Unknown";
this.mPreferredNetworkLabels = arrayOfString;
}
RadioInfo.java sets the network type in the following code (lines 297-309):
AdapterView.OnItemSelectedListener mPreferredNetworkHandler = new AdapterView.OnItemSelectedListener()
{
public void onItemSelected(AdapterView paramAnonymousAdapterView, View paramAnonymousView, int paramAnonymousInt, long paramAnonymousLong)
{
Message localMessage = RadioInfo.this.mHandler.obtainMessage(1001);
if ((paramAnonymousInt >= 0) && (paramAnonymousInt <= -2 + RadioInfo.this.mPreferredNetworkLabels.length))
RadioInfo.this.phone.setPreferredNetworkType(paramAnonymousInt, localMessage);
}
public void onNothingSelected(AdapterView paramAnonymousAdapterView)
{
}
};
The key line is line 303:
RadioInfo.this.phone.setPreferredNetworkType(paramAnonymousInt, localMessage);
Some info about the setPreferredNetworkType() method:
void setPreferredNetworkType(int networkType, Message response);
Requests to set the preferred network type for searching and registering (CS/PS domain, RAT, and operation mode)
Parameters:
networkType one of NT_*_TYPE
response is callback message
The phone data member is a private data member set to null on line 422:
private Phone phone = null;
The phone data member is set to the Default Phone on RadioInfo object creation (onCreate) in line 916:
this.phone = PhoneFactory.getDefaultPhone();
Based on the above information, I believe we would need to create a toggle which would execute a small java program to access the setPreferredNetworkType() method from a Phone object instantiated from the PhoneFactory.getDefaultPhone() method. I believe Phone resides in com.android.internal.telephony, but in order to gain access to the internal android stuff we would need to do something like the following article provides:
https://devmaze.wordpress.com/2011/01/18/using-com-android-internal-part-1-introduction/
That's all the time I have for the moment...

great info! Unfortunately I have no idea how that stuff works. I praise the devs who do this work and members like you who work on it. I wish I could.
Sorry if I came off as demanding of wanting a toggle, I'm just surprised I haven't heard more about it. But good to know it's being worked on. I'd definitely be willing to help test when something is cooked up though

tu3218 said:
great info! Unfortunately I have no idea how that stuff works. I praise the devs who do this work and members like you who work on it. I wish I could.
Sorry if I came off as demanding of wanting a toggle, I'm just surprised I haven't heard more about it. But good to know it's being worked on. I'd definitely be willing to help test when something is cooked up though
Click to expand...
Click to collapse
Unfortunately I'm short on time these days, but I wanted to get the info out there so someone might be able to use it. I really do think we're close, but I'm more of a hacker/modder than an Android dev. Someone comfortable with development on Android might be able to speed this up significantly.
Sent from my SCH-I535 using xda premium

[APP][4.1+][v0.91 - 20141220] Easy Token - OSS SecurID token with lock screen widgets

Highlights
Convenient lock screen and home screen widgets provide instant tokencodes without navigating to an app.
Optionally save your PIN.
Supports SDTID files, importing http://127.0.0.1/... tokens from email, and QR tokens.
100% open source (GPLv2+)
Click to expand...
Click to collapse
Requirements
A token seed file from your system administrator
JB 4.1+
Click to expand...
Click to collapse
Downloads
Binaries are attached to this post and available from Google Play.
Source code: https://github.com/cernekee/EasyToken
Click to expand...
Click to collapse
Changelog
Code:
v0.91 - 2014/12/20
- Use more specific MIME type matches so that Easy Token associations don't
show up in Contacts.
- Update libstoken to v0.81 and switch from tomcrypt to nettle. Most of
the changes in v0.8/v0.81 won't matter on Android, but it is now possible
to import hard token seed files if desired.
Older changelogs:
Code:
v0.90 - 2014/07/26
- Rework handling of bound device IDs during token import. Try to guess
it based on the current (unique) device ID and all known class GUIDs.
Allow the user to override it, in case of a collision.
- Limit import string to 64kB to avoid OutOfMemoryError crashes on invalid
tokens.
v0.81 - 2014/07/06
- Fix bug in lock screen widget where it would "bounce" between the tokencode
display and the clock display for no apparent reason
- Show the "confirm import" screen unconditionally, so there is a clear
indication that email import succeeded
v0.80 - 2014/07/05
- Initial public release
Click to expand...
Click to collapse
XDA:DevDB Information
Easy Token, App for all devices (see above for details)
Contributors
cernekee
Source Code: https://github.com/cernekee/EasyToken
Version Information
Status: Beta
Created 2014-07-05
Last Updated 2014-12-21

Attaching a couple of randomly generated tokens, in case it is necessary to test Easy Token without a real seed file. These were created with:
Code:
qrencode -l H `stoken export --random --android` -o v2.png
qrencode -l H `stoken export --file pinless.sdtid --v3` -o v3.png
stoken export --random --sdtid > token.sdtid
The rightmost (denser, v3) QR code is a 6-digit PINless token. You may need to zoom in to scan it.

Verrr niice..
Thanks for making this, it works great and looks much better than the official RSA one. One thing, though, what is the network access permission for?

phigan said:
Thanks for making this, it works great and looks much better than the official RSA one. One thing, though, what is the network access permission for?
Click to expand...
Click to collapse
It isn't currently used, but future uses could include:
Internet token provisioning via CTKIP
NTP clock sync, so that if multiple devices use the same seed, they all read back the same tokencode at the same time
Better problem reporting; currently ACRA is set up to use email but there are some limitations associated with that approach. All problem reporting in this app is user-initiated.

Reported via email as well, but here's the problem I'm having:
Trying to import a token given via an http 127.0.0.1] url in an email:
USER_COMMENT=importing new key via (http link omitted, because xda forums don't like it) failed, with chrome saying "connection refused"
ANDROID_VERSION=4.4.4
APP_VERSION_NAME=0.90
BRAND=oneplus
PHONE_MODEL=A0001
CUSTOM_DATA=
STACK_TRACE=java.lang.Exception: Report requested by developer
at org.acra.ErrorReporter.handleException(ErrorReporter.java:626)
at org.acra.ErrorReporter.handleException(ErrorReporter.java:583)
at app.easytoken.MainActivity.sendProblemReport(MainActivity.java:121)
at app.easytoken.MainActivity.onOptionsItemSelected(MainActivity.java:139)
at android.app.Activity.onMenuItemSelected(Activity.java:2600)
at com.android.internal.policy.impl.PhoneWindow.onMenuItemSelected(PhoneWindow.java:1065)
at com.android.internal.view.menu.MenuBuilder.dispatchMenuItemSelected(MenuBuilder.java:741)
at com.android.internal.view.menu.MenuItemImpl.invoke(MenuItemImpl.java:152)
at com.android.internal.view.menu.MenuBuilder.performItemAction(MenuBuilder.java:884)
at com.android.internal.view.menu.MenuBuilder.performItemAction(MenuBuilder.java:874)
at com.android.internal.view.menu.MenuPopupHelper.onItemClick(MenuPopupHelper.java:177)
at android.widget.AdapterView.performItemClick(AdapterView.java:298)
at android.widget.AbsListView.performItemClick(AbsListView.java:1113)
at android.widget.AbsListView$PerformClick.run(AbsListView.java:2911)
at android.widget.AbsListView$3.run(AbsListView.java:3645)
at android.os.Handler.handleCallback(Handler.java:733)
at android.os.Handler.dispatchMessage(Handler.java:95)
at android.os.Looper.loop(Looper.java:136)
at android.app.ActivityThread.main(ActivityThread.java:5146)
at java.lang.reflect.Method.invokeNative(Native Method)
at java.lang.reflect.Method.invoke(Method.java:515)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:796)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:612)
at dalvik.system.NativeStart.main(Native Method)
Screenshot of Chrome attached.

gehrehmee said:
Trying to import a token given via an http 127.0.0.1] url in an email:
Screenshot of Chrome attached.
Click to expand...
Click to collapse
When you clicked on the email link, did it send you straight to Chrome? Android should notice that the URL matches a pattern that can be handled by two different apps, and let you choose whether to open the link with Chrome (incorrect) or Easy Token (correct).
If this doesn't happen, you may need to clear the default association for Chrome.
If you still can't convince it to pop up the app chooser, another option is to copy the URL to the clipboard (long-press may do it), navigate to Easy Token, then choose Manual Entry.

cernekee said:
When you clicked on the email link, did it send you straight to Chrome? Android should notice that the URL matches a pattern that can be handled by two different apps, and let you choose whether to open the link with Chrome (incorrect) or Easy Token (correct).
If this doesn't happen, you may need to clear the default association for Chrome.
If you still can't convince it to pop up the app chooser, another option is to copy the URL to the clipboard (long-press may do it), navigate to Easy Token, then choose Manual Entry.
Click to expand...
Click to collapse
Interesting:
I installed the official app as well as EasyToken now, and I do get the "choose application" dialog -- but EasyToken isn't in the list.
I copied the URL into the "manual" entry, and it didn't un-grey the "Next" button.
The URL is in the form:
http (noise added to stop xda forum from rejecting post) ://127.0.0.1/securid/ctkip?scheme=https&url=hostname.company.com:443/ctkip/services/CtkipService

gehrehmee said:
The URL is in the form:
http (noise added to stop xda forum from rejecting post) ://127.0.0.1/securid/ctkip?scheme=https&url=hostname.company.com:443/ctkip/services/CtkipService
Click to expand...
Click to collapse
Unfortunately CTKIP is not currently supported. CTKIP URLs do not actually contain the token seed. Instead, they direct the client to handshake with a remote server to securely exchange information. I have not figured out how to implement this scheme yet.
Easy Token normally expects a URL that uses the "compressed token format" (ctf), such as:
Code:
http://127.0.0.1/securid/ctf?ctfData=219561515777421437245254320241301611451327661056547012064173126400766246671676001
The ctf string is entirely self-contained (it doesn't need to talk to a remote server).

Change Device ID
Would it be possible to let users change the device ID? The default one is calculated differently from the official RSA app, so I can't install the same token on both or migrate from one to the other without having a new token issued to me.

pfcrow said:
Would it be possible to let users change the device ID? The default one is calculated differently from the official RSA app, so I can't install the same token on both or migrate from one to the other without having a new token issued to me.
Click to expand...
Click to collapse
If the app is unable to successfully decrypt the token using the default device ID, it should prompt you to enter a different ID (see attached screenshot). You can copy the device ID from the official RSA app if your token is bound to that installation.
Are you getting an error instead?

cernekee said:
If the app is unable to successfully decrypt the token using the default device ID, it should prompt you to enter a different ID (see attached screenshot). You can copy the device ID from the official RSA app if your token is bound to that installation.
Are you getting an error instead?
Click to expand...
Click to collapse
That's awesome! Thanks. I'm also stuck on the CTKIP issue that others discussed above. I suspect I'm not going to have any luck getting the other app to cough up the token once I download it, though.

pfcrow said:
I'm also stuck on the CTKIP issue that others discussed above. I suspect I'm not going to have any luck getting the other app to cough up the token once I download it, though.
Click to expand...
Click to collapse
That's correct - it is stored in a different format, and obfuscated.
I wonder how much demand there would be for an Xposed Framework module that exports stored tokens from the official RSA app?

cernekee said:
That's correct - it is stored in a different format, and obfuscated.
I wonder how much demand there would be for an Xposed Framework module that exports stored tokens from the official RSA app?
Click to expand...
Click to collapse
A lot - my employer will only issue tokens in CTKIP format, and if I can't copy the RSA app's token out I'm stuck with the default app. And what's worse, I'm stuck with using it on just that one phone - this is the whole reason I found your app in the first place, because I have 2 phones and want to clone the token onto both.
If you figure out a way to read the token from the RSA app, I'd happily PayPal you $20 for the effort
Edit: Even better would be an app to extract the RSA token from a Titanium backup.

I am using this on Android and it works great. Today I tried to install this to chrome using ARC. It worked. I was able to import tokens and all seemed well except the tokens are generating the wrong numbers. They should match the android device but they do not. I verified the serial# and dates are the same but the digits after the same PIN numbers are entered are different. I realize ARC is new but figured i'd give it a go.

cernekee said:
That's correct - it is stored in a different format, and obfuscated.
I wonder how much demand there would be for an Xposed Framework module that exports stored tokens from the official RSA app?
Click to expand...
Click to collapse
Was this solved?
I'd love to get more info and give it a go!
It seems a fun challenge. :cyclops:

I gotta tell you - I love this app. I can easily move my token from phone to phone without getting a new token from my sysadmins. That is huge! I wish you a also had a Mac OS X app

Tasker/KLWP
This app is brilliant - so much better than RSA's!
But could you tell me is it possible to get a code from Easy Token into KLWP or Tasker? Using intents?
Cheers!

Great work, loving it !

The token in the official Android app is stored in a sqlite database. If your phone is rooted, it's easy to copy it out and dump the database. You can probably dump it out of any backup program. The problem is that the critical fields are obfuscated. They appear to be 256-bit numbers in hex, and I don't know how they translate into the fields used by stoken (the token program that powers the app we're discussing here).
A dump of the table shows:
Code:
CREATE TABLE tokens (
SERIALNUMBER text primary key not null,
NICKNAME text not null,
EXPIRATIONDATE text not null,
PINTYPE integer not null,
PRNPERIOD integer not null,
PRNLENGTH integer not null,
ROOTSEED blob not null,
OTPMODE integer not null,
DEVICEBINDINGDATA text not null,
ALGORITHM integer not null,
BIRTHDATE integer not null,
MAXTXCOUNT integer not null,
SIGNATURECOUNT integer not null,
LASTTXTIME integer not null,
TOKENHASH blob not null);
The ROOTSEED and TOKENHASH fields are both 64-character (256-bit) hex codes. I think everything else is either zero or reasonably obvious.
My two thoughts are to either make sense of all this data to create a converter, or to investigate the Windows token storage format (which might use the same fields) and see if the official token converter can extract it.

Is any results with CT-KIP? Or any workaround?

[INFO] How digital signatures work

I remember that when I used to frequent these forums a year or two ago, there were often times when people would ask why we couldn't use the signing key to get bootloaders or devices to accept arbitrary code. Presumably, the more experienced here understand digital signatures, but maybe not the specific math behind them. This is intended to be a short informational guide on how these work.
Symmetric-key cryptography
The most ubiquitous form of encryption involves keys that are the same for encryption and decryption. This has existed since cryptography first became a thing. Historically, the plebeians of a given polity were illiterate. Only a small portion of society was capable of reading and writing. This is how the Roman Catholic Church held something of a monopoly on the Bible—which was written in Latin, by the way—until printing press lead to increased literacy.
All the people who know a particular key can encrypt and decrypt messages equally. This requires tedious amounts of work to keep the key secret (ergo, "secret key cryptography"). If secret keys are ever implemented on hardware, they must be stored in such a way that attempting to probe for it would simultaneously destroy it. The first iPhone, which lacked hardware-based verification of the bootloader, encrypted the first stage bootloader. If you didn't have the correct key, any code you placed there would decrypt to gibberish (it could presumably still run because it offered no authentication or integrity protection, but the chances of this happening were unlikely). Now, with a MAC algorithm, a tag could be attached for verification purposes, but this would still require having the key burned into the mask ROM.
Asymmetric-key cryptography
Asymmetric cryptography emerged in the 1970s with the Diffie-Hellman protocol—which admittedly wasn't a cryptosystem, but a key agreement protocol—and RSA. RSA is the most widely used public key cryptosystem, but there are others, most being variants on the difficulty of integer factorization or discrete logarithms (i.e., Paillier, Rabin, ElGamal, ECC, DSA, etc.), but there are more exotic ones based on lattices (NTRUEncrypt and NTRUSign), linear codes (McEliece), polynomials (HFE and multivariate cryptography), and hashes (Lamport signatures). There is a public key and private key (sometimes the which is key is which doesn't matter). Crypographic operations with the public key are one way. You can encrypt a message using my public key, but I'm the only who can decrypt it since I generated the key pair.
RSA, the most popular, operates on the fact that with a given exponent and a modulus of secret factorization. An example:
p=41 (prime number)
q=43 (prime number)
N=p*q=1763
e=11 (public exponent)​To calculate the private exponent, I must find the number (d) that satisfies e*d mod ((p-1)*(q-1))=1. This number is called a modular multiplicative inverse and it is easy to determine when one knows the factors or N. In this case, d=611. Let's say you want to send me m=10. The ciphertext is c=m^e mod N=10^11 mod 1763=789. To get the message, I only need to calculate swap out my public exponent for my private exponent, giving m=c^d mod N=789^611 mod 1763=10.
These operations can also go the other way, allowing me to "sign" hashes of messages.
Digital signatures
Unlike encryption, signing a message goes the other way and involves using the private key to create a number that can be verified with the public key. With RSA, you just need to do what I did above in reverse. On devices with hardware-based or software-based verifications of code, all that is needed is the public key associated with the identity that is authorized to create runnable code. In a lot of cases, it is burned into the mask ROM of an SoC, allowing no way to change the change anything without some serious molecular rearrangement. If it's in the software, then all you have to do is edit the code that performs the signature check. Seeing as most companies are not stupid, however, this often impossible because that software is verified by a previous stage, with the verification going all the way down to the hardware level.
In the case of UEFI secure boot, the UEFI firmware (which can usually be changed), has a database of public keys that it uses to verify the "first stage" bootloader (in quotes because it's really not the first stage). I don't know if the UEFI firmware is also checked by a previous mechanism, but if it is, it's done in a way that's dissimilar to how ARM-based devices do it.
Questions, comments, concerns? I'm here all day.

CobaltDebugger

Latest Version 0.5.1 (beta)
What is CobaltDebugger? An ARM Processor Simulator/Emulator/Debugger. At its current state, it reads Android bootloader files, and runs them in a simulator, giving you control over which instructions execute and when. For optimal experience, use this in conjunction with IDA Pro.
Hint: Try setting the PC Register to an interesting address found in IDA.
https://youtu.be/cwvz8Cj70Ac <- newer but still old
https://youtu.be/L5NDob2rCmI <- even older
Unzip contents
Run CobaltDebugger.exe
Load up your aboot.mbn or sbl1.mbn
If you want to display referenced strings, open your binary in IDA, go to View > Subviews > Strings, then copy and paste the contents of the strings window into a new text file, then load that text file into CobaltDebugger.
Memory file will grow to 4GB
Click "Load Binary"
Then click "Step Into" or "Run"
You can
- Set breakpoints by address: use >, and < to define break-ranges
- Alter register values, condition flags, psr modes, instruction sets (ARM and Thumb)
Memory edits are not yet implemented but will most likely come as time permits
Page Up, Page Down, Up, and Down keys can be used to navigate the memory viewer - or you can type an address and click "Go" to go there - There's a bug in here somewhere - I'll get to it
The output from the bottom right window is saved as output.xxxxxx.txt, although the file may not get flushed until you click "Unload" or close the application.
All ARM and Thumb instructions were implemented in C# by hand by me. There may be bugs here and there as this is a work in progress and beta. Not all instructions have been implemented so you may encounter a message that states such and such instruction not implemented. If you see that, let me know which instruction and I will implement it as time permits, or you can wait until the next release. I plan on continuing this project until all instructions are implemented.
Originally built with the binaries from the AT&T Samsung Galaxy Note 3 (NC2) in mind, but focus switched to the Verizon Samsung Galaxy S4 (NK1), then back to Note 3 (OC1). This should work with other similar binaries as well.
I'm hoping this will help us discover new ways to unlock bootloaders. But at the very least it's fun to watch the files run.
Change Log 0.5.1
Added image verification steps thanks to Tal Aloni
Bug fixes
More instructions implemented
Slight redesign
Change Log 0.5
Bug fixes, UI improvements, a few more instructions implemented
Now the "Next" instruction is actually the Next instruction as opposed to the most recently executed instruction, so you can see the instruction highlighted BEFORE it executes.
Change Log 0.4.1
Fixed some bugs
Implemented some more instructions
AT&T Note 3 NC2 aboot runs to completion again, although you may find some instructions I've missed if you start jumping around editing the PC value.
Change Log 0.4
Complete refactor
Verizon S4 NK1 aboot runs to completion, although you may find some instructions I've missed if you start jumping around editing the PC value.
Broke some things with the Note 3 aboot instructions
Change Log v0.3:
set default breakpoint for Verizon S4 aboot - Either it's actually *supposed* to start executing code at 0x880C7000 after an MCR and BX instruction, or I may have mis-coded something, but it seems odd, so a breakpoint is set to 0x88E0E4BC until I can figure that one out.
Output to file - C:\temp\output.HHmmss.asm - Now you can review the log after the program has run.

Subscribed. This is going to be epic.

Taking the trash out then going to have some fun hopefully with this.

Next feature to add is the ability to load and run elf files like tz and sdi

v0.2
I Implemented the SP Minus Immediate instruction, which should resolve the NotImplemented exception reported by @dmt010 . I also implemented a bunch more instructions needed by the S4 aboot, although I'm still not done. I went ahead and uploaded an update anyway. This one doesn't blow up like the first version, but rather displays the missing instruction if it encounters one. To skip to a specific address and start executing code, you can modify the PC register and click Apply Edits, then step or run. Sometimes you have to do it twice for it to take, for some reason. If you want to play around with this with your own abootmbn or sbl1.mbn, feel free to post any Not Implemented messages here so I can add them, just make sure no one else has already posted it. Make sure you copy and paste the whole line including the instruction mnemonic and "Pattern" which will help me to identify the desired encoding.

Instruction [Thumb16,LDRB] not implemented. Pattern: [01111iiiiinnnttt]. Address: [0x88E1C470]
Cheers

I just uploaded v0.3. Now it runs the Verizon S4 aboot file without exception until it gets to a section where keeps incorrectly executing ANDEQ R0, R0, #0x3. I know that's not what it is supposed to do, and that it is a result of BX R14, when R14 is holding 0x880C7000, but 0x880C7000 has only zeros because the s4 aboot is running out of context, isolated. Maybe there is supposed to be code at 0x880C7000, ready and waiting to run. Or maybe there was a calculation error in my code and R14 should not have held the value 0x880C7000. I don't know. I will relook at the preceeding steps and make sure the calculations are correct. Might add a unit test or two. I may need to spend more time looking at the line before the branch (MCR p15, 0, R0,c1,c0, 0) MCR was one of the first instructions I implemented months ago. I may need to re-look at that logic and make sure I did it right...

Cobaltikus said:
I just uploaded v0.3. Now it runs the Verizon S4 aboot file without exception until it gets to a section where keeps incorrectly executing ANDEQ R0, R0, #0x3. I know that's not what it is supposed to do, and that it is a result of BX R14, when R14 is holding 0x880C7000, but 0x880C7000 has only zeros because the s4 aboot is running out of context, isolated. Maybe there is supposed to be code at 0x880C7000, ready and waiting to run. Or maybe there was a calculation error in my code and R14 should not have held the value 0x880C7000. I don't know. I will relook at the preceeding steps and make sure the calculations are correct. Might add a unit test or two. I may need to spend more time looking at the line before the branch (MCR p15, 0, R0,c1,c0, 0) MCR was one of the first instructions I implemented months ago. I may need to re-look at that logic and make sure I did it right...
Click to expand...
Click to collapse
What did I say? Glad I snagged the first post, I knew this project would take off.

It is possible that at some point I will consider sharing my source code to the public. But first I need to look into different licensing steps I should take to make sure that if I do release it, it will remain open source and not be stolen and licensed by someone else, forcing me to take my code down, or something else that could be bad for me. I want to make sure that if I do it, I do it right. Another issue for me is that I like to copy and paste the psuedocode from ARM directly into my code, commented, so I have it for reference. I'm fairly certain I would have to take that out before releasing, so I'm not infringing on ARM's copyright policies. But it would be nice to collaborate. Possibly. Maybe.

Cobaltikus said:
... (MCR p15, 0, R0,c1,c0, 0) MCR was one of the first instructions I implemented months ago. I may need to re-look at that logic and make sure I did it right...
Click to expand...
Click to collapse
Yep. I need to re-implement MCR. I wasn't doing all that needed to be done.

v0.4
v0.4 runs Verizon S4 NK1 aboot to completion, and you can view and modify the active Instruction Set (ARM vs Thumb).

v0.5
v0.5

I got a bit side tracked. Thanks to Tal Aloni, Cobalt Debugger now shows and validates the certificate chain and image signature, which started me down the rabbit hole of potentially cracking RSA. When I come back up for air I'll post my latest changes.

ive been trying to crack that thing for months now! haha join in the telegram again for info and we can collaborate live. from what i understand we're dealing with an RSA-SHA1 sig with PKCS#11 padding

Sorry to be somewhat off-topic, but RSA is a method of encryption. So Samsung/Verizon used this to encrypt the bootloader. So if we can crack it, we have access to the bootloader and can Loki it/ another exploit?
Oh yeah, I subbed. I'm teaching myself python and Java(was already on my to do list) to try and offer limited help.

XxD34THxX said:
Sorry to be somewhat off-topic, but RSA is a method of encryption. So Samsung/Verizon used this to encrypt the bootloader. So if we can crack it, we have access to the bootloader and can Loki it/ another exploit?
Oh yeah, I subbed. I'm teaching myself python and Java(was already on my to do list) to try and offer limited help.
Click to expand...
Click to collapse
can you do much with python on android?

What exactly does this thing do ? I"m a bit confused This is some kind of simulator so that you can see how it impacts memory during execution ? But then again, if it can't access hardware then what's the use ? What does it offer over IDA pro ? I'm confused

Not now. Still on the basics of python. I have python and ide on my pc waiting if you need me to test something.

kcarden said:
ive been trying to crack that thing for months now! haha join in the telegram again for info and we can collaborate live. from what i understand we're dealing with an RSA-SHA1 sig with PKCS#11 padding
Click to expand...
Click to collapse
Ah right, getting now what the use of this is As long as stuff is not done in hardware, which it most likely wont be anyway (cause kernel is not up lol) then this could function as a simulator to debug the bootloader. Makes sense

XxD34THxX said:
Sorry to be somewhat off-topic, but RSA is a method of encryption. So Samsung/Verizon used this to encrypt the bootloader. So if we can crack it, we have access to the bootloader and can Loki it/ another exploit?
Oh yeah, I subbed. I'm teaching myself python and Java(was already on my to do list) to try and offer limited help.
Click to expand...
Click to collapse
i've been looking a lot at recovery.img and the recovery partition. and what happens is the image is encrypted and then signed to be accepted by other software sig checks