Related
NEW - March 2011
A method of booting custom kernels (using kexec) has been developed. Thanks Bin4ry, zdzihu, MrHassell, blagus, and all other devs who are working hard to make this stable.
The bootloader protection has been bypassed!
zdzihu said:
Bootloader is broken/bypassed!
Big bad huge font to avoid confusion =)
@Goroh_kun:
Buddy, I know you're still reading this forums so... I just want you to know that you are absolutely BRILLIANT. You're a STAR.
BIG thanks for all your contributions into this project! Nothing, and I mean NOTHING would happen without you.
@devs:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
@SE: lads, it's your turn now - please unlock it already. I promise we won't brick our phones
@all: DON'T ask for details. I will post here when I'm ready to do so. Today (I guess?) is the Arc release date and stuff, I don't want to mess around...
Still busy working abroad,
Cheers,
z
Click to expand...
Click to collapse
Link to 2.1 alpha kernel (2.6.29)
http://forum.xda-developers.com/showpost.php?p=12578251&postcount=848
OLD
Important info!
http://forum.xda-developers.com/showpost.php?p=12298790&postcount=811
Link to FlashTool
http://forum.xda-developers.com/showthread.php?t=920746
Here are some posts:
MrHassell said:
Yes and yes - while rebooting and as zdzihu previously reported kexec is viable.
http://forum.xda-developers.com/showpost.php?p=8714275&postcount=407
zdzihu
override partition table using kernel command line. Tried (via kexec) and it worked.
Code:
mtdparts=msm_nand:[email protected](appslog),[email protected](cache),[email protected](system),[email protected](userdata),[email protected](loader)
Bin4ry - tawrite - http://forum.xda-developers.com/showpost.php?p=8931422&postcount=442
cat /proc/mtd
mtd0 cache
mtd1 appslog
mtd2 userdata
mtd3 system
My final post on the subject. Have better things to do now the media have landed au reviour.
Click to expand...
Click to collapse
Bin4ry's kexec kit posts
http://forum.xda-developers.com/showpost.php?p=12240639&postcount=708 - V1
http://forum.xda-developers.com/showpost.php?p=12245719&postcount=711 - V2
http://forum.xda-developers.com/showpost.php?p=12260334&postcount=724 - V3
MrHassell's V3 test log
http://forum.xda-developers.com/showpost.php?p=12261764&postcount=729
21st March 2011, onwards
Bin4ry said:
Can you try to run it on chargemon script instead of xRec?
So that we can run it at the very beginning of boot process. Maybe this is a solution!
This should work in the chargemon script:
exec /data/local/tmp/run.sh
WARNING!
JUST TRY THIS IF YOU KNOW WHAT YOU ARE DOING !
Regards
Click to expand...
Click to collapse
Androxyde said:
chargemon the safer way :
Just before recovery if then else :
if [ -e /data/local/tmp/kexec ]
then
rm -r /data/local/tmp/kexec
exec /data/local/tmp/run.sh
fi
so from the OS, touch /data/local/tmp/kexec the reboot and it will boot the kexec script and remove the kexec file so that the next boot or reboot will go fine
Click to expand...
Click to collapse
Bin4ry said:
So, 2 users with bb58 had booted fine then WLOD.
Seems the initial idea is working
Now fix the problems and all is good ?
Regards
Click to expand...
Click to collapse
DooMLoRD's test
http://forum.xda-developers.com/showpost.php?p=12266289&postcount=750
Bin4ry's edited chargemon file
http://forum.xda-developers.com/showpost.php?p=12266422&postcount=753
Comment from DooMLoRD - actually about the above file.
DooMLoRD said:
just an additional comment...
the following chargemon will work only for recovery flashed through Flashtool v0.2.8 for stock roms only
also please do not try that chargemon on CM7RC2 roms (u wont be able to get into the OS cause recovery on CM7RC2 is shifted to /system/recovery/
also the line chroot / /init will work for 2.3 roms but is not compatible with 2.2 roms... for 2.2 roms u need /system/bin/chroot / /init
Click to expand...
Click to collapse
x10b's test
x10b said:
boot.img installed >> boots normal got my radio, wifi , everything works fine...
FW : 2.1.1.A.0.16
BB : 2.1.58
test ok......
Click to expand...
Click to collapse
x10b's test video
http://forum.xda-developers.com/showpost.php?p=12287032&postcount=798
DooMLoRD's edited (universal) chargemon file
http://forum.xda-developers.com/showpost.php?p=12267053&postcount=762
Important for 'non-devs' - also look at DooMLoRD's post ahead
wolfilein said:
@all
you shouldn't flash the file with xrecovery!
you should extract it to
/data/local/tmp/
on you phone
and replace the /system/bin/chargemon with the one bin4ry has posted some posts ago
after that make it executable
with
chmod 755 /system/bin/chargemon
then create the file /data/local/tmp/kexec
with
touch /data/local/tmp/kexec
and then reboot you phone should load the new kernel
Click to expand...
Click to collapse
DooMLoRD's post in reply to above:
http://forum.xda-developers.com/showpost.php?p=12267467&postcount=766
jerpelea said:
cm7 boots with custom kernel
Click to expand...
Click to collapse
More testing:
DooMLoRD said:
test with Stock SE ROM FW: 2.1.A.0.435 | BB: 2.1.54
booted into OS but no radio, strange question mark symbol on top of battery symbol (in notification bar)... phone rebooted in few seconds couldnt get into "About Phone"... though no LED notifications of any sort... even have made a video of boot up process [it look good on handset ] will post it here in a while
EDIT:
on second attempt tried to get to "About Phone" asap... under "Kernel Version" it was "unknown"... and then the system immediately rebooted...
keep up the great work Bin4ry and all other devs...
Click to expand...
Click to collapse
DooMLoRD's bootup video
http://forum.xda-developers.com/showpost.php?p=12269301&postcount=775
Androxyde said:
I am on stock firmware A.0.16
I modded my chargemon to implement booting cust kernels from it and a gscript script shortcut on the desktop to reboot.
I tried these :
Reboot custom kernel with stock BB .58 : booted / no radio / reboot in less than 1 minute
Reboot custom kernel with BB 55 : same as with .58
Reboot custom kernel with BB 52 : booted / no radio / no reboot
Reboot stock rom with BB 52 : no radio
So with my last try I cannot conclude anything about the "no radio"
Will keep you informed with my further tests
Click to expand...
Click to collapse
More tests from DooMLoRD
http://forum.xda-developers.com/showpost.php?p=12272634&postcount=784
http://forum.xda-developers.com/showpost.php?p=12282471&postcount=789
http://forum.xda-developers.com/showpost.php?p=12303304&postcount=812
Bin4ry's kernel patches, config and build script from zdzihu:
http://forum.xda-developers.com/showpost.php?p=12272201&postcount=781
Bin4ry's kernel based on SE .435 kernel sources
http://forum.xda-developers.com/showpost.php?p=12275044&postcount=786
Aeny's tests
Aeny said:
x10i | J's CM7 RC2 V10a | BaseBand 2.0.46 | boot.img: 22.03.11-00_25
-Same behavior as BB 2.0.52
-(Stock kernel + this BaseBand = WLOD reboot loop.)
x10i | J's CM7 RC2 V10a | BaseBand 2.0.49 | boot.img: 22.03.11-00_25
-Same behavior as BaseBand 2.0.52
x10i | J's CM7 RC2 V10a | BaseBand 2.0.52 | boot.img: 22.03.11-00_25
-Screen not waking up by pressing any buttons, to wake up press any button, then press the screen. If "Screen-on" and/or "Screen-off" animations are enabled in CM-Settings then screen cannot be woken up at all.
-Battery shows a percentage, but does not indicate charging, however the battery level is going up.
-Time seems to update once every few (10~11) minutes instead of every minute & always starts counting from 1/1/1970 -1h:00m at boot.
-WiFi shows "error" under settings but does magically work, just can't be turned off.
-Bluetooth doesn't want to turn on.
-Baseband: "Unknown".
-Kernel Version: 2.6.29Bin4ry "[email protected] #1".
-no reboots (running 15minutes).
-screen doesn't auto-turn off but dims instead.
-Battery status shows as "unknown" under settings -> about phone -> status.
-No USB.
-LED doesn't light up while charging.
x10i | J's CM7 RC2 V10a | BaseBand 2.1.54 | boot.img: 22.03.11-00_25
-Freezes after 2~5seconds(can't see if WLOD because LED doesn't work).
-(Stock kernel + this BaseBand = WLOD reboot loop.)
x10a | J's CM7 RC2 V10a | BB 2.1.54 | boot.img: 22.03.11-00_25
-Freezes after 2~5seconds->reboot(can't see if WLOD because LED doesn't work).
-(Stock kernel + this BaseBand = WLOD reboot loop.)
Click to expand...
Click to collapse
Aeny said:
x10i | Build: 2.1.A.435 | BaseBand: 2.1.54 | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.58 | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.54(a) | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.55(a) | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
Back to CM7 for me, SE's rom felt like playing a game @ 2FPS.
~Aeny
Click to expand...
Click to collapse
Ahmed radi's tests
Ahmed radi said:
boot.img: 22.03.11-00_25 / FW: SE 2.1 / BB 2.1.54
its work great !
boot normaly then radio work and WiFi also work !
boot.img: 22.03.11-00_25 / FW: SE 2.1 / BB 2.0.52
freeze on SE logo fo about 5~9 sec | no radio (insert SIM) | Wifi work
@ Bin4ry
good look bro
Click to expand...
Click to collapse
Ahmed radi said:
@ DooMLoRD
good now we have conferm that bin4ry kernel work with .54
i try also 52 but there is no radio !
i reflash the phone with 54 BB but also get no signal !
any idea about this ?
@bin4ry
could we convert the .img to .sin ?
Click to expand...
Click to collapse
Bin4ry said:
No, sin is the signature header. For that we need the signing key and we don't have it!
Regards
Click to expand...
Click to collapse
Ahmed radi said:
good lack Bin4ry !
test report :
X10 2.1 .435
BB54
run gr8 ,with Xda then reboot in se rom with radia and i test wifi and its work also!
edit :
BB58 also just like above !
>after we have sacsesfully loud Bin4ry kernel , could we have muiltitouch(not just dual) ? thanx
Click to expand...
Click to collapse
More info from Bin4ry
http://forum.xda-developers.com/showpost.php?p=12285626&postcount=795
shyvue's test
shvyue said:
I'm new to this but what i did is, copy all files from bootkit to /data/local/tmp
adb shell
$ su
# chmod 06755 run.sh
# ./run.shls
Phone shows fast-usb reboot, then a cute dog at top-left, then xda-developer with brown background.
SE stock image:
2.1.A.435
x10i-2.1.58 white led after xda-developer image then reboot with SE logo, etc
x10i-2.1.54 white led after xda-developer image then reboot with SE logo, etc
Click to expand...
Click to collapse
mpasanthosh's test
http://forum.xda-developers.com/showpost.php?p=12311351&postcount=816
Starting from 14th January 2011
blagus said:
Hi to all developers!
I haven't read whole thread, but I'm sure bootloader hasn't been cracked yet.
I spoke to a source who know really a lot about SE phones. He has been investigating X10 a lot and I got some info from him. He might be able to give me some further info but only if you are willing to read and try to accept my post and not just tell me "Xperia is different SE phone".
Believe me, he knows a lot about how X10 boots/works, and what's happening inside it (software part). He's been investigating phones since DB2020, and knows something about phones even before that.
As first, when I told him about "bootloader" he wasn't 100% sure what is that.
Most correct structure of X10 boot process and all "parts" involved is:
first, "real" ROM, which is actually one time programmable and can't be ever reprogrammed, is started.
In EROM, there's signature which is checked by ROM at beginning of boot - if signature is OK, ROM proceeds with running EROM and leaves it to continue boot process.
That is: checking signatures of everything that it runs directly, and then launches it if signatures are OK.
He also said that ROM is very incorrect name for phone's firmware - because ROM is actually thing that I mentioned above. Of course, you don't have to rename all ROMs to FW now, however it would be good if at least here in development thread correct names are used because that would help you, me in understanding what you're talking about - because I have knowledge from A1/A2 series and now he proved me that I was right about what I was saying - and him in understanding and possibly some further small tips.
He said that the thing that launches actual firmware - Android, is S1Boot, and it actually is in some structural way connected with A1's EROM and A2's SEMCBOOT.
(That is the thing I've been trying to say some time ago however no one was listening to me, nor wanted to check it - everyone was just saying "No, this phone is different from other SE phones.)
That then means that getting developer (more understandable - "brown") loader.sin - which actually contains S1Boot, or as you probably call it, bootloader - won't help you because in that S1Boot, there are flags that define if brown image will be accepted or not.
Also, in ROM there is root certificate (Qualcomm), "first in the chain" he said, not Red - retail, or Brown - developer one. S1Boot is also signed with that root certificate, and even existing S1Boot in our Xperias contain both Red and Brown certificates (unlike on A1/A2, where there is either red which accepts just red flashes, or brown which accepts them all), and only thing that differs is flags which tells EROM/S1Boot should it accept brown flash or not.
Note: Do not mix root certificate that is S1Boot signed with, and Red/Brown located inside it!
You can easily check this by opening existing, "usual" available for download here loader.sin in Notepad and you'll first find few certificates - S1_loader_root, S1_EROM_root, etc. and after that S1_loader_test, S1_EROM_test, etc. - same names, but instead of root it says test - this proves that there are both red and brown certificates.
He also said that
"brown sin-s can be self-produced... usually the brown RSA keys are available".
That means that if we put brown RSA key before header of pre-patched loader.img, we would get brown signed loader.sin, and we would just have to find a way to change flag to make the phone accept that brown image.
About pre-patching: yes, S1Boot has to be patched in order to accept unsigned flashes - whether it's just changing those flags, or rewriting it - however in that case still original root certificate must stay inside because it's checked by ROM.
And last thing is that he said that "SE used to disable Jtag on retail phones".
I remember that someone here mentioned Jtag but I don't know what was the result.
To receive further help/tips from him, following questions must be answered:
Question 1: To what exactly do you refer when speaking about bootloader? Now when I explained about S1Boot, can we actually say that bootloader = S1Boot (similar to) > A1's EROM (similar to) > A2's SEMCBOOT?
Question 2: What's contained in boot.img, if S1Boot is inside loader.img/loader.sin?
Best regards
Click to expand...
Click to collapse
25th January 2011
Bin4ry said:
Anyone wants to try my modded kexec-tool? I hope i have found a solution, but don't know yet, because my netbook still compiles the kernel ..... (for another 20 hours )
Regards
Bin4ry
Click to expand...
Click to collapse
Bin4ry said:
Since Maxrfon didn't answered my last mail again (he's very busy now) i had spare time and worked on this little tool once more =)
I hope we can boot another kernel with kexec-tool now.
for that we need a zImage and a initrd + some bootparameters for the kernel (root partition)
So if anyone want to try i would be lucky. My compilation was broken and now i have to start again :'(
So i anyone here wants help to try i would be lucky =)
Regards
Click to expand...
Click to collapse
26th January 2011
Bin4ry said:
Yes a initrd is needed, because i have not found the initrd location in virtual memory now, so i cannot point to it from kexec
Code:
kexec -l /zImage --apend="root........" --file="/initrd"
kexec -e -f
also you should appen the root partition.
It would be nice if someone could upload a zImage, i'm still stuck in compiling it *LoL* ****ing netbook is compiling 15 hours and then it aborts with some errors ^^
Regards
Click to expand...
Click to collapse
blagus said:
Put kexec in /system, chmod 777
Put ramdisk_orig.tgz and zImage to / and chmod 777
Code:
# kexec-tool -l /zImage --append="/" --initrd="/ramdisk_orig.tgz"
# kexec-tool -fe
After reboot zImage and initrd dissapear from /
Maybe if I put them in /system... I'll try that and let you know result.
Click to expand...
Click to collapse
Bin4ry said:
@Shamux thanks for the kernel.
@blagus:
You have to append the root partition to kernel parameters, else it will not detect it!
It's just like you want to boot a normal kernel on pc
Try adding --append="root=/dev/blablabla rw"
check which one is root partition (don't know now) and then check again if it works.
What we really neew is some kmsg log or smth.
Also Z mentioned to compile the kernel with semc-es209ra-capk config.
A minimal config will be a better way to start because something is breaking up we cannot find it.
But if we can boot minimal kernel, we can try to add more and more step by step and find the problem =)
Regards
Click to expand...
Click to collapse
blagus said:
Hmm... then, a little bit of experimenting is required...
I've got new info regarding bootloader cracking, from my source again
In theory it's very simple and you probably know that already: we calculate prime numbers that public key is made from - one key is enough, second can be calculated with
key ÷ 1st prime formula. But, you already know that.
Now, how to get these keys? Probably you know that too but let me repeat:
with OpenSSL we can get certificates from loader.sin. For example, this is interesting part of S1_loader_root (root certificate):
Code:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ea:a5:f7:7d:bd:67:21:33:04:00:ea:91:b0:c6:
cd:38:6c:aa:da:60:c1:77:e2:24:67:be:b7:da:4f:
e6:e5:92:fd:5b:b4:1a:97:54:cb:2f:7d:b1:63:e3:
d4:43:b9:a6:91:70:36:9f:5f:3a:7a:0e:2c:a7:44:
3b:40:84:0f:40:79:4a:b7:e8:58:d7:47:15:29:79:
07:b7:65:7b:d3:6d:40:10:29:78:c5:8f:51:b0:6e:
38:a9:97:1c:ff:1e:e5:bc:0d:22:1c:08:22:db:ad:
40:6f:2f:28:8a:8f:5c:38:d3:2a:96:72:48:66:28:
07:80:11:f1:62:f9:d3:40:a7
Exponent: 65537 (0x10001)
Modulus here is public key.
Just give this modulus to the CPUs and GPUs and let them calculate primes.
With these primes, calculation of private key should be trivial.
Update: this key is what we need to crack, that's it. Then, we can even make our own certificate - just like now there are, for example, s1_loader (Red, retail) and s1_loader_test (Brown, developer), we can make our own s1_loader_xda... and then, if it's issuer is S1_Loader_Root_f851 (like it is in root certificate attached here), and it is present in all parts of loader.sin (signature, signature of loader payload data) then phone will accept it.
Yes, that's right: this "Modulus" number above is the one that we need to crack in order to modify bootloader.
Update: if there's something confusing in this certificate, it's probably the fact that it's issuer and subject are same: yes, it's self-signed. But unfortunately, it won't work if we make our self-signed certificate
Click to expand...
Click to collapse
arkedk said:
Don't know if this is any help or useful info for any of the devs.
But managed to check the code in the lib_s1_verification.so file
Here's the boot sequence.
These files is what I know has something to do with the s1:
/lib/lib_s1_verification.so
/bin/linker
/bin/s1_verification_test
I don't know what I'm looking at here, but just wanted to see if I could make some kind of contribution to get the bootloader opened up.
Also attached the dedexed files from within semc_bootinfoif.jar if those are useful to anyone.
Assuming this is the Booting Sequence:
Click to expand...
Click to collapse
I tried typing in 'adb root enable' and this appeared (see attachment).
If we can get a developer rom somehow, we could enable root.
If unclear, it says that 'adbd cannot run as root in production builds'.
I think that Sony Ericsson's adb drivers are causing this. If we could hack into the official android one, we could maybe unlock some adb commands (adb shell doesn't even allow any command to work!)
Very good idea to start a new thread. Please someone of the moderators delete all future comments that are not related to root!
I finally compiled the tardis program but it doesn't work
Here my original post :
-----
This didn't work on X10. But possibly someone will try it on other devices.
Usage: ./tardis <BIG FILE>
Big file should be ~ 100mb
------
-Bin4ry
Gathered Information about the kernel and mount points so far:
Kernel Version: Linux version 2.6.29-rel ([email protected]) (gcc version 4.2.1) #2 PREEMPT Wed Mar 10 16:53:36 JST 2010
(notice it's been compiled on march 10 so it might have been patched until february)
Internal flash partitions:
/dev/block/mtdblock2 /system yaffs2 ro 0 0
/dev/block/mtdblock3 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock1 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block/loop0 /cdrom iso9660 ro 0 0
4Mb ramdisk: tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
Inside the software update package, there are a lot of files:
update.xml -> update template, it says not to erase amss_fs.sin, maybe that's why it's empty...
preset.ta ->
Inside there's this:
Code:
// preset.ta has same format as TA file generated by FXTool
// Specification document: 69/159 35-LXE 108 116 Uen, Rev PA3
// Format:
// [TAPartition<HEX8>]{1}
// [UnitID<HEX32> UnitSize<HEX16> Data<HEX8>{UnitSize}]{n}
// (c) Sony Ericsson Mobile Communications AB, 2009
02
000008FD 0010 00 00 08 00 05 00 00 00 0E 00 00 00 08 00 00 00
00000961 0004 FE FF FF FF
amss_fs.sin -> no idea...but it seems empty as the cache 639 byte
apps_log.sin -> template for wiping mtdblock0 partition? (639 byte)
cache.sin -> template for wiping cache partition (like data partition, 639 byte)
fota0.sin -> ?
fota1.sin -> ?
boot.sin -> our beloved boot.img? (5.4 mbytes)
recovery.sin -> it looks like we have a recovery mode after all (not just safe mode)
dsp1.sin -> dsp firmware?
amss.sin -> Radio firmware?
metadata.dat -> 536 bytes, I guess it will be package metadata
simlock.ta -> 1,3 kb
system_S1-SW-LIVE....sin -> 195Mb, system partition
userdata_S1-SW-LIVE....sin -> 4,8kb, template for wiping data partition, maybe it has some file in there... haven't checked yet.
Things I tried so far:
m7 exploit. It seems fixed on this kernel (that or it might need some tinkering to the code)
exit_notify() local root exploit. suid_dumpable is 0 on /proc, so useless
h00ly**** exploit. Bin4ry tried this, but it seems it didn't work either.
Good thing: Sony Ericsson update service is programmed in java, and lollylost100 has already managed to make the program dump update images decrypted, so we might have a chance with that.
Also, bootloader starts if you take out the battery, plug usb and then turn it back in. It goes on for 10 seconds, after that, it times out and reboots to normal. So maybe if we don't mess with the bootloader we can restore it no matter what happens to the rest of the flash (don't trust this much)
About the mtd partitions, there are only four visible to Android, but there have to be more.
Radio partition, recovery partition (if it flashes it will be somewhere, unless its just a kernel+ramdisk that boots when in 'safe mode'), bootloader and such. Where are they hidden?
I have a copy of the running configuration for the kernel from .16 version, if anybody wants, I can put it somewhere.
If you wan't to retrieve it from your phone just do:
cat /proc/config.gz > /sdcard/config.gz
from adb/local terminal.
@HunteronX: that error it gives you is because you need a dev firmware, or being able to do a 'su', to get root access, it's not a driver problem. If you do "adb shell" you get a terminal with user id 2000 (shell), but no way of getting id 0 (root) with official firmware (unless hacking).By the way, that post you pasted from me is very outdated and there's not much useful information so you can remove it from the first post Thanks for starting a new thread, hopefully we'll manage to keep it clean!
Regards, Biktor
biktor_gj said:
update.xml -> update template, it says not to erase amss_fs.sin, maybe that's why it's empty...
Click to expand...
Click to collapse
Code:
<?xml version="1.0" encoding="utf-8" ?>
<UPDATE>
<NOERASE>amss_fs.sin</NOERASE>
</UPDATE>
HunteronX said:
I tried typing in 'adb root enable' and this appeared (see attachment).
If we can get a developer rom somehow, we could enable root.
If unclear, it says that 'adbd cannot run as root in production builds'.
I think that Sony Ericsson's adb drivers are causing this. If we could hack into the official android one, we could maybe unlock some adb commands (adb shell doesn't even allow any command to work!)
Click to expand...
Click to collapse
This information is Wrong.
ADB is not allowed to run as root on Any production builds, not only Sony Ericsson.
Also all "normal" ADB commands work.
My Contribution: The only Directory where you can put native executables is /data
sim-value said:
This information is Wrong.
ADB is not allowed to run as root on Any production builds, not only Sony Ericsson.
Also all "normal" ADB commands work.
My Contribution: The only Directory where you can put native executables is /data
Click to expand...
Click to collapse
confirmed, all production build android we couldn't enable root. that is too easy.
we do can write and excute in /data. It use to be an exploit moving data form
/data to /system but now that hole is close, thoe move request get kill on the way.
Still no sign of recovery or bootloader access. ADB reboot won't help as you will get the normal bootup screen.
SEUS flash mode can be turn on and detect USB SEMC Flash Device in Linux and Mac OS, but after 20 - 30 second
it will shut it self and reboot in normal mode. there might be some trigger here.
funfobia said:
confirmed, all production build android we couldn't enable root. that is too easy.
we do can write and excute in /data. It use to be an exploit moving data form
/data to /system but now that hole is close, thoe move request get kill on the way.
Still no sign of recovery or bootloader access. ADB reboot won't help as you will get the normal bootup screen.
SEUS flash mode can be turn on and detect USB SEMC Flash Device in Linux and Mac OS, but after 20 - 30 second
it will shut it self and reboot in normal mode. there might be some trigger here.
Click to expand...
Click to collapse
Ok, thanks for telling me that - looks like i've got a lot to learn...
@biktor_gj I've hopefully now removed all the information you wanted.
/data is not the only place where you can run binaries, you can also execute them from /sqlite_stmt_journal ramdisk. The only issue is after rebooting the phone files will disappear, but /data has the nosuid flag enabled on the mount command, but that flag doesn't exist on the sqlite tmpfs.
Regards
I just sniffed yesterday the packets when SEUS is connecting to the Sonyerricsson Serve.
What I found out is that SEUS is requesting following IP: 195.95.193.10
If you enter this in your browser it returns following:
ma3.extranet.sonyericsson.com
There you can download a software called EMMA. Someone knows what's that for a software?
goroh_kun said:
I uploaded mtd dump program for xperia with my mtd_nand_ex module.
It includes souce code, and static linked binary.
http://hotfile.com/dl/52240500/a1a6e72/mtd_raw_dump.zip.html
With normal mtd-utils(nand-dump), you can't rip complete nand image.
so I have to change mtd mode to RAW MODE.
the raw image includes OOB(Out Of Band) area, so we have to
calculate ECC(Error Correction Code) to get its executable image.
Click to expand...
Click to collapse
I write program to rip original image from mtd raw image.
http://hotfile.com/dl/52522564/4d776ac/mtd_analyze.zip.html
I'm working to figure out how oob area works.
if you have any information please contact me, or write message here!
Try another method to run modified kernel.
hi, all
I found that the method modifying boot or recovery area is not good way,
because these partition are signed with SE signature, and it seems that
bootloader check its SHA hash and signature everytime on boot process.
so I try another approach that
execute another kernel, from original SE kernel like kexec method.
but original SE kernel is not configured with CONFIG_KEXEC.
so I have to modify kexec interfaces from system calls to proc filesystem
access.
http://hotfile.com/dl/52604229/240e97c/kexec_ex.zip.html
http://hotfile.com/dl/52609760/96288b5/kexec-tools.tgz.html
It seems work to boot new kernel. you have to build kernel with initrd image.
wait for details..
we have 2 options
patch loader or go kexec
flash tools for x10 nand
happy play
http://hotfile.com/dl/53734913/3b68720/flash_tools.tar.bz2.html
rosco16 said:
Great!!!
If you had flashed NAND ...is it correct to say that x10 is root 100% already ??
cheers
Click to expand...
Click to collapse
NO
- we can dump and flash nand (tested tools)
- SE boot (kernel is signed like .sin files) and our boot is not signed so it will not boot
WE need kexec to load our kernel or patch bootloader not to check for signed kernel
@custom rom Cyanogen V6 alpha is compiled but we can not boot it
zephyrix said:
Dump the bootloader, patch it, then rewrite.
Click to expand...
Click to collapse
)
you are so funny
if it was that simple we would do it
zephyrix said:
Dump the bootloader, patch it, then rewrite.
Click to expand...
Click to collapse
First, bootloader and fota applications have some kind of lock and cannot be read (unlike boot, recovery amss & dsp). Second, to patch a bootloader you need to disassemble it, find all the points where it checks for signatures, and patch them. Then you need to test it, and if you mess it once, 400$ phone to the trash. Much more useful to have kexec working, since with it you could, in theory, boot the bootloader from ram, to check if patching goes good and do all the testing withour breaking anything. And you could run a kernel of choice.
Things aren't as easy as that I'm affraid...
How to dump bootloader
Hi, all
try this to dump your bootloader.
http://hotfile.com/dl/53890681/9e4b303/spldump.zip.html
the SPL image remains in internal RAM address 0x0 - 0x100000.
I wrote a driver to dump this area through /proc/splimage.
goroh_kun said:
Hi, all
try this to dump your bootloader.
http://hotfile.com/dl/53890681/9e4b303/spldump.zip.html
the SPL image remains in internal RAM address 0x0 - 0x100000.
I wrote a driver to dump this area through /proc/splimage.
Click to expand...
Click to collapse
I love you goroh, thank you very very much
On a side note, is it just me or it is full of checks everywhere?
biktor_gj said:
I love you goroh, thank you very very much
On a side note, is it just me or it is full of checks everywhere?
Click to expand...
Click to collapse
yep is full
thanks goroh
but dump seems to be wrong
after 0x3000 is padding
next block is at 0x100000
@kexec we need to somehow patch it to load the loader
Originally posted by blagus.
Important: AS SUGGESTED BY DEVELOPERS, PLEASE USE STOCK 2.1.1.A.0.6. FLASH IT WITH FlashTool, GET FILES FROM MY Mediafire FOLDER.
All files (splboot, miniloader, boot.img, etc.) will be uploaded to this Mediafire folder.
If you compiled something and want to share it, attach it here and I'll upload it to Mediafire to have everything in one place.
cat /proc/iomem with addresses needed to modify splboot and miniloader - X8:
Code:
$ cat /proc/iomem
00200000-0d8fffff : System RAM
0022b000-006e3fff : Kernel text
006e4000-00813733 : Kernel data
02900000-02afffff : kgsl_phys_memory
0d200000-0d8fffff : Crash kernel
0d9e0000-0d9fffff : ram_console
a0000000-a001ffff : kgsl_reg_memory
a0000000-a001ffff : kgsl
a0200000-a0200fff : msm_serial_hs.0
a0400000-a0400fff : msm_sdcc.1
a0500000-a0500fff : TIWLAN_SDIO.2
a0800000-a08003ff : msm_hsusb
a0800000-a08003ff : msm_hsusb_periphera
a0800000-a08003ff : msm_hsusb_host.0
a0800000-a08003ff : msm_hsusb_otg
a0800000-a08003ff : msm_otg
a0a00000-a0a007ff : msm_nand_phys
a9900000-a9900fff : msm_i2c.0
a9900000-a9900fff : msm_i2c
a9c00000-a9c00fff : msm_serial.2
a9c00000-a9c00fff : msm_serial
aa200000-aa2effff : mdp
aa300000-aa300fff : tssc
aa600000-aa600fff : pmdh
Run cat /proc/mtd to find addresses needed to make boot.img. Different for X10, X8, X10 Mini (Pro).
How to make boot.img:
Download build_bootimg.zip, extract. If you're on Linux, run makeit.sh, if on Windows, run makeit.bat
Don't forget that mkbootimg's cmdline needs tweaking. Read README.txt included to find out more.
Also, to make ramdisk, place files in ramdisk-folder and execute following:
Code:
mkbootfs ./ramdisk-folder > ramdisk
This will give you cpio ramdisk archive. gzip it and you're done. Name it ramdisk.gz.
If you like my post, thank me!
Originally posted by blagus.
Important: AS SUGGESTED BY DEVELOPERS, PLEASE USE STOCK 2.1.1.A.0.6. FLASH IT WITH FlashTool, GET FILES FROM MY Mediafire FOLDER.
All files (splboot, miniloader, boot.img, etc.) will be uploaded to this Mediafire folder.
If you compiled something and want to share it, attach it here and I'll upload it to Mediafire to have everything in one place.
cat /proc/iomem with addresses needed to modify splboot and miniloader - X8:
Code:
$ cat /proc/iomem
00200000-0d8fffff : System RAM
0022b000-006e3fff : Kernel text
006e4000-00813733 : Kernel data
02900000-02afffff : kgsl_phys_memory
0d200000-0d8fffff : Crash kernel
0d9e0000-0d9fffff : ram_console
a0000000-a001ffff : kgsl_reg_memory
a0000000-a001ffff : kgsl
a0200000-a0200fff : msm_serial_hs.0
a0400000-a0400fff : msm_sdcc.1
a0500000-a0500fff : TIWLAN_SDIO.2
a0800000-a08003ff : msm_hsusb
a0800000-a08003ff : msm_hsusb_periphera
a0800000-a08003ff : msm_hsusb_host.0
a0800000-a08003ff : msm_hsusb_otg
a0800000-a08003ff : msm_otg
a0a00000-a0a007ff : msm_nand_phys
a9900000-a9900fff : msm_i2c.0
a9900000-a9900fff : msm_i2c
a9c00000-a9c00fff : msm_serial.2
a9c00000-a9c00fff : msm_serial
aa200000-aa2effff : mdp
aa300000-aa300fff : tssc
aa600000-aa600fff : pmdh
Run cat /proc/mtd to find addresses needed to make boot.img. Different for X10, X8, X10 Mini (Pro).
How to make boot.img:
Download build_bootimg.zip, extract. If you're on Linux, run makeit.sh, if on Windows, run makeit.bat
Don't forget that mkbootimg's cmdline needs tweaking. Read README.txt included to find out more.
Also, to make ramdisk, place files in ramdisk-folder and execute following:
Code:
mkbootfs ./ramdisk-folder > ramdisk
This will give you cpio ramdisk archive. gzip it and you're done. Name it ramdisk.gz.
Originally posted by blagus.
To start and organize X8 bootloader bypassing, and to leave X10 developers to focus entirely on X10 cracking, I've made this thread to keep track of progress and for developers to share info.
What has to be done:
Compile splboot as kernel module - addresses have to be modified for X8 - work in progress
Compile miniloader for MSM7227 - hopefully done by nobodyAtall
Make boot.img with zImage and ramdisk for X8 - work in progress
Developers (alphabetical):
Asdoos - splboot and miniloader
Bin4ry - side help and tips
Blagus - boot.img mostly
Chumby_666 - mood-lifter in IRC and tools provider
nobodyAtall - splboot.ko - miniloader
Progress (sorted by time):
splboot.ko - compiled by nobodyAtall - needs tweaking
miniloader - compiled by nobodyAtall - unknown does it need further modifications or not
boot.img - work in progress
Experiments:
# insmod splboot.ko
Loads without errors.
insmod splboot - OK
cat miniloader - OK
cat boot.img from X10 - few high-ASCII characters appear, plus "Invalid length", phone freezes, adb shell freezes, phone reboots after ~30 seconds
If nothing, at least a proof that something was tried to load into memory, and invalid length caused freeze - meaning that splboot was most probably compiled and loaded correctly.
After further tests, looks like something's wrong in splboot - probably allocated memory is too small
How to boot:
Get splboot.ko, miniloader, boot.img and run.sh
Push splboot to /system/lib/modules, rest to /system/kernel (mkdir /system/kernel).
execute this from adb: # sh /system/kernel/run.sh
Best regards
Originally posted by blagus.
Important: AS SUGGESTED BY DEVELOPERS, PLEASE USE STOCK 2.1.1.A.0.6. FLASH IT WITH FlashTool, GET FILES FROM MY Mediafire FOLDER.
All files (splboot, miniloader, boot.img, etc.) will be uploaded to this Mediafire folder.
If you compiled something and want to share it, attach it here and I'll upload it to Mediafire to have everything in one place.
cat /proc/iomem with addresses needed to modify splboot and miniloader - X8:
Code:
$ cat /proc/iomem
00200000-0d8fffff : System RAM
0022b000-006e3fff : Kernel text
006e4000-00813733 : Kernel data
02900000-02afffff : kgsl_phys_memory
0d200000-0d8fffff : Crash kernel
0d9e0000-0d9fffff : ram_console
a0000000-a001ffff : kgsl_reg_memory
a0000000-a001ffff : kgsl
a0200000-a0200fff : msm_serial_hs.0
a0400000-a0400fff : msm_sdcc.1
a0500000-a0500fff : TIWLAN_SDIO.2
a0800000-a08003ff : msm_hsusb
a0800000-a08003ff : msm_hsusb_periphera
a0800000-a08003ff : msm_hsusb_host.0
a0800000-a08003ff : msm_hsusb_otg
a0800000-a08003ff : msm_otg
a0a00000-a0a007ff : msm_nand_phys
a9900000-a9900fff : msm_i2c.0
a9900000-a9900fff : msm_i2c
a9c00000-a9c00fff : msm_serial.2
a9c00000-a9c00fff : msm_serial
aa200000-aa2effff : mdp
aa300000-aa300fff : tssc
aa600000-aa600fff : pmdh
Run cat /proc/mtd to find addresses needed to make boot.img. Different for X10, X8, X10 Mini (Pro).
How to make boot.img:
Download build_bootimg.zip, extract. If you're on Linux, run makeit.sh, if on Windows, run makeit.bat
Don't forget that mkbootimg's cmdline needs tweaking. Read README.txt included to find out more.
Also, to make ramdisk, place files in ramdisk-folder and execute following:
Code:
mkbootfs ./ramdisk-folder > ramdisk
This will give you cpio ramdisk archive. gzip it and you're done. Name it ramdisk.gz.
If you like my post, thank me!
Excuse me if it sounds lame
but what is splboot.ko all about
i understand its a kernel module but what is its usage...
To be honest, I don't really know how you guys do it but what I do know is that what you guys do it so awesome!! THANK YOU TO EVERY LAST ONE OF THE DEV TEAM for all the countless time and quality effort that you put into the work you give to us stupid people that can't even program a TV properly!!
x10 mini is my 2nd phone with locked bootloader and my first phone is milestone with locked botoader now hoping for the best that these devs will break the bootloader
is bootloader encrypted. if so is there any any knowledge of the algorithm used. or is the password available in sony ericsson software update or update package. will brute force attack work. if so how to get access to kernel.
Is there some news?
Castore said:
Is there some news?
Click to expand...
Click to collapse
Nah none for now, but Blagus is working really hard!
good to see the progress.
i always thought its not possible to crack the bootloader but it seems like you are going to do it
Wussiwuh said:
good to see the progress.
i always thought its not possible to crack the bootloader but it seems like you are going to do it
Click to expand...
Click to collapse
Technically they aren't trying to crack the bootloader, but bypassing it.
Sent from my X10mini using XDA App
thanks for the post. NIce to see develoment from the front row. 1 class
the_laser said:
Greetings.
warning.
if you are not developer, please quit reading that post.
wait for user friendly tool with one big button.
here ( View attachment 712577 ) is toolset to permanently "unlock" semcboot of msm7227 semc phones.
that means, you can use own kernel and so on.
steps,precautions, etc.
unpack archive to any directory.
if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.
now, if your phone unlocked officially:
flash phone with standard 2.0,2.1 android firmware,because kernel mapper module compiled for "2.6.29" kernel.
of course, enable "usb debugging"
run msm7227_semc.cmd,
( if you want, examine it before run, it is pretty straightforward. )
you will get similar output
Code:
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
1743 KB/s (585731 bytes in 0.328s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights.
192 KB/s (3087 bytes in 0.015s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
504 KB/s (8064 bytes in 0.015s)
Second, we need to write semcboot ;)
1130 KB/s (596916 bytes in 0.515s)
successfully wrote 0003ff00
Press any key to continue . . .
bingo, your phone now has unlocked bootloader.
if your phone unlocked by setool2 software, use msm7227_setool2.cmd
if your phone unlocked by 3rd-party software other than setool2, do not run anything -
it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
hopefully, mizerable flea and mOxImKo will release something similar for your phone.
okay, now about other details.
1.
unlocked bootloader require unlocked loader, yep ?
loader\loader.sin is special unlocked loader, which will be accepted ONLY after your "unlock" semcboot with previous steps.
to distinguish unlocked semcboot and original semcboot, first letter in version tag of semcboot output will be lower case, i. e. "r8A029"
( same applies for loader version tag )
so, all that stuff with signatures are not for us, so i removed them - loader will ignore signature part of SIN file.
2.
we should make SIN file somehow, right ?
for that i prepared "dumb" bin2sin utility.
[input] - is input binary file.
[partition info]
android implementation on s1 semc qualcomm phones based on partitions,so we MUST define it for our file.
you can get required partition info from standard semc sin files, it is first 0x10 bytes of DATA, right after header, i.e.
[type] - partition type, 9 - partition without spare, 0xA - partition with spare.
kernel partition is partition without spare.
if that parameter omitted, type = 9
[block size] - nand block size, if omitted, it is standard size 0x20000
there is example in sinTools\example_build.cmd
3.
kernel should be prepared specially to be accepted by semcboot.
for that there is tool bin2elf.
we need 2 segments:
segment 1 is unpacked linux kernel image, i.e.
( e10/kernel/arch/arm/boot/Image )
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x00208000
attributes for image 0x0
segment 2 is ramdisk.
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x01000000
set attributes for ramdisk 0x80000000, that is extremly important.
there is simple kernel example in sinTools\example_build.cmd
ps.
@blagus:
NAND MPU disabler has only one relation to rFoNe - he took it from setool2, together with entire idea for msm7227 bypass.
your 6-wings friend with many nicks done exactly same.
NAND MPU has nothing to do with memory firewall, so it will not help with kexec things, however, who will care now.
Click to expand...
Click to collapse
I was on x8 forums and i found this!!! It looks very interesting!!!
Can someone explain me what is it good for?
Sorry for my bad english
ChavitoArg said:
Can someone explain me what is it good for?
Sorry for my bad english
Click to expand...
Click to collapse
It allows you to boot custom linux kernels.
DustArma said:
It allows you to boot custom linux kernels.
Click to expand...
Click to collapse
I just made the_laser ¨tuto¨
successfully wrote 0003ff00, i succesfully unlock my bootloader? Is there any way to confirm that? i have to do somethin else?
Sorry for the questions and for my bad english.
ChavitoArg said:
I just made the_laser ¨tuto¨
successfully wrote 0003ff00, i succesfully unlock my bootloader? Is there any way to confirm that? i have to do somethin else?
Sorry for the questions and for my bad english.
Click to expand...
Click to collapse
probably. try flashing dKernel to find out for sure.
To be continued
Sounds promising =D
Sorry I am unable to find working stock kernel source code, one from http://dl-developer.sonymobile.com/code/copylefts/6.2.A.1.100.tar.bz2 fail to compile at start, so I can not continue, no want to waste my time fixing it since I need excatly the same kernel source which will produce excatly the same binary - stock kernel, probably that will not be happen since sony public source is broken so I can not produce the same binary + later: new modules needed for kexec, sorry guys I stopping now. Our soc going to iritate me a lot
I can just compile it.
Using doomlords prebuilt toolchain
Sent from my C2 using xda app-developers app
nickholtus said:
I can just compile it.
Using doomlords prebuilt toolchain
Sent from my C2 using xda app-developers app
Click to expand...
Click to collapse
Did you tried latest Sony archive? I dont know why but when I "make defconfig" and than do "make" compilation asking me for a lot of defconfig related things - chooses, seems archive from Sony is corupted? Tried riogrande**defconfig, tried allso defconfig which I using, no one working. There asking me for x86 things which is ...no logic
If some one have locked bootloader and have "unlock allowed - no", please give me TA backup! To get TA backup simple install http://www.flashtool.net/download.php and do:
1. install it
2. run it
3. click file menu -> switch to pro
4. click to adwance menu -> trim area -> s1 -> backup
5. post your dump here
Thanks!
You can find many TA backups here.
Gesendet von meinem Xperia S mit Tapatalk
djolivier said:
You can find many TA backups here.
Gesendet von meinem Xperia S mit Tapatalk
Click to expand...
Click to collapse
Missin inposible with ta http://forum.xda-developers.com/showpost.php?p=49958520&postcount=687 only maybe kexec can do a job
Maybe hashcode could help for kexec on locked bootloader. He seems to make it work on several locked device(motorola,latest samsung).
munjeni said:
Sorry I am unable to find working stock kernel source code, one from http://dl-developer.sonymobile.com/code/copylefts/6.2.A.1.100.tar.bz2 fail to compile at start, so I can not continue, no want to waste my time fixing it since I need excatly the same kernel source which will produce excatly the same binary - stock kernel, probably that will not be happen since sony public source is broken so I can not produce the same binary + later: new modules needed for kexec, sorry guys I stopping now. Our soc going to iritate me a lot
Click to expand...
Click to collapse
Sir, I can confirm that its compiling. [TOOLCHAIN- arm-eabi-4.4.3 ] without any changes made in Makefile for now. Which toolchain are you using?
Cheers,
AJ
@munjeni as of now,Xperia U tree and P tree are using ARM-EABI-4.4.3
You can git clone it from here --> www.github.com/Abhinav1997/arm-eabi-4.4-3 and push it over to prebuilts/gcc/linux-x86/arm
So,if you still get errors,modify the toolchain line to : "arm-eabi-4.4.3/bin/arm-eabi-"
Hope it helps
Abhinav2 said:
Sir, I can confirm that its compiling. [TOOLCHAIN- arm-eabi-4.4.3 ] without any changes made in Makefile for now. Which toolchain are you using?
Cheers,
AJ
Click to expand...
Click to collapse
Sorry my wrong :laugh: I executed by this way:
make ARCH=arm CROSS_COMPILE=/root/gitstvari/android_prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi- riogrande_lotus_defconfig
make
instead of
make ARCH=arm CROSS_COMPILE=/root/gitstvari/android_prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi- riogrande_lotus_defconfig
make ARCH=arm CROSS_COMPILE=/root/gitstvari/android_prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
Ok will continue.
Here is git https://github.com/munjeni/stock_jb_kexec_kernel_for_locked_bootloader/commits/master
lsmod
kexec_load 28179 0 - Live 0x00000000
procfs_rw 2435 0 - Live 0x00000000
Click to expand...
Click to collapse
status
[email protected]:/data/local/tmp # grep kexec_driver /dev/devices
grep kexec_driver /dev/devices
grep: /dev/devices: No such file or directory
2|[email protected]:/data/local/tmp # kexec --load zImage --initrd=initrd.gz --mem-m
in=0x3000000 --command-line="$(cat /proc/cmdline)"
initrd=initrd.gz --mem-min=0x3000000 --command-line="$(cat /proc/cmdline)" <
kernel: 0x401c7008 kernel_size: 35f1f8
kexec_load: entry = 0x3008000 flags = 280000
nr_segments = 3
segment[0].buf = 0xe75090
segment[0].bufsz = 210
segment[0].mem = 0x3001000
segment[0].memsz = 1000
segment[1].buf = 0x401c7008
segment[1].bufsz = 35f1f8
segment[1].mem = 0x3008000
segment[1].memsz = 360000
segment[2].buf = 0x40529008
segment[2].bufsz = 47e538
segment[2].mem = 0x3d7d000
segment[2].memsz = 47f000
kexec_load failed: Function not implemented
entry = 0x3008000 flags = 280000
nr_segments = 3
segment[0].buf = 0xe75090
segment[0].bufsz = 210
segment[0].mem = 0x3001000
segment[0].memsz = 1000
segment[1].buf = 0x401c7008
segment[1].bufsz = 35f1f8
segment[1].mem = 0x3008000
segment[1].memsz = 360000
segment[2].buf = 0x40529008
segment[2].bufsz = 47e538
segment[2].mem = 0x3d7d000
segment[2].memsz = 47f000
255|[email protected]:/data/local/tmp # cat /dev/kexec_driver
Click to expand...
Click to collapse
Progress:
[72371.535949] Kexec: KDS_entry : '3008000'
[72371.535980] Kexec: KDS_nr_segments : '3'
[72371.535980] Kexec: KDS_segment : '1afe8a8'
[72371.535980] Kexec: KDS_kexec_flags : '280004'
[72371.536010] Kexec: - Starting kexec_load...
[72371.599609] Kexec: - ---- kexec_load - result : '0'
[72392.445739] Kexec:-----------------------------------------------------
[72392.445800] Kexec: REBOOT DEVICE !!!
[72392.445953] Starting new kernel
[72392.446044] Bye!
Click to expand...
Click to collapse
Remaining thing is - need to reserve memory for storing hardboot atags, hope I can store them in the same memory like used on my kernel, if not than will investigate something
I wouldn't want to disturb devs working, but I think it would be interesting to follow this.
And btw, if you are still wondering about RCK_H, it's encrypted with unsalted SHA-256 hash
wan5xp said:
Maybe hashcode could help for kexec on locked bootloader. He seems to make it work on several locked device(motorola,latest samsung).
Click to expand...
Click to collapse
Who? Where?
mirhl said:
I wouldn't want to disturb devs working, but I think it would be interesting to follow this.
And btw, if you are still wondering about RCK_H, it's encrypted with unsalted SHA-256 hash
Click to expand...
Click to collapse
Probably some one found something and posted them, but post is deleted http://forum.xda-developers.com/show....php?t=1196932 why?
munjeni said:
Probably some one found something and posted them, but post is deleted http://forum.xda-developers.com/show....php?t=1196932 why?
Click to expand...
Click to collapse
your link was bad
but what posts should have been deleted? Can't see anything wrong
mirhl said:
your link was bad
but what posts should have been deleted? Can't see anything wrong
Click to expand...
Click to collapse
These is copy paste link, so I can not open broken link, tried to append 1196932 to the http://forum.xda-developers.com/newreply.php?do=newreply&p= but thats not link which pointing to the post related to the "arcievied unlock thing"... some one say that there is thread where some guys found unlock procedure for "unlock allowed = no", so I can not see these thread
I'm going to show you how to build a custom kernel, and a custom boot.img.
Requirements
A linux OS
Kernel source code from Samsung
Android Image Kitchen (Required for the SEANDROID metadata it appends automatically)
GCC Cross Compilation Toolchain 4.8 (You may just clone the repo with git, or download a zip)
Hypothetical workspace directory on the filesystem: /workspace, now prepare it like this:
/workspace/kernel - this is where the kernel source code will be, this is what we will build. Extract the downloaded Kernel.tar.gz here
/workspace/build - this is the kernel compilation result, populated by the build
/workspace/toolchain - this is the required cross-compilation toolchain you download or check-out from the google link
/workspace/kitchen - Extract Android Image Kitchen here
Click to expand...
Click to collapse
Go to http://opensource.samsung.com/reception.do and search for SM-J415, download one of the results, extract Kernel.tar.gz to /workspace/kernel. I believe SWA stands for South West Asia, and MAE - Middle-east Africa, it doesn't matter which you pick, it is related to radio regulations.
Now overwrite the file /workspace/kernel/build_kernel.sh with:
Code:
#!/bin/bash
# The cross compilation toolchain path
export TOOLCHAIN=$(pwd)/../toolchain/arm-linux-androideabi-4.8
# This is the directory for the compiled kernel
export OUTDIR="O=$(pwd)/../build"
export PATH=$TOOLCHAIN/bin:$PATH
export ARCH=arm
export CROSS_COMPILE=arm-linux-androideabi-
export THREADS=$(nproc --all)
export COMMON_ARGS="-j$THREADS $OUTDIR arch=arm CFLAGS_MODULE=-fno-pic arch=arm"
if [ "$1" == "build" ]; then
make $COMMON_ARGS j4primelte_sea_open_defconfig
make $COMMON_ARGS
elif [ "$1" == "rebuild" ]; then
make $COMMON_ARGS
elif [ "$1" == "clean" ]; then
make $COMMON_ARGS distclean
make $COMMON_ARGS clean
else
echo "./build_kernel.sh build|rebuild|clean"
fi
Building kernel source code
Run the script:
$ cd /workspace/kernel/
edit: /workspace/kernel/arch/arm/configs/j4primelte_sea_open_defconfig
change CONFIG_SECURITY_DEFEX=y to CONFIG_SECURITY_DEFEX=n
$ bash build_kernel.sh build
It should build normally, if it fails there's something wrong with your OS setup. After a long time, you should see the compiled and compressed kernel with the DTP appended at:
/workspace/target/arch/arm/boot/zImage-dtb
The kernel configuration it created from the defconfig files in the kernel source tree is at
/workspace/target/.config
Build a new boot.img
$ cd /workspace/kitchen
$ bash unpackimg.sh /path/to/a/boot/or/recovery.img
Now you will have the unpacked kernel in: /workspace/kitchen/split_img/boot.img-zImage
Delete it
$ rm split_img/boot.img-zImage
Link the built custom kernel there instead
$ ln -s /workspace/target/arch/arm/boot/zImage-dtb /workspace/kitchen/split_img/boot.img-zImage
Now each time you create the boot.img, it will include your custom kernel instead.
Tweak the files and ramdisk as much as you want, and repackage the boot.img
$ bash repackimg.sh
Now you have a boot.img at /workspace/kitchen/image-new.img that is ready to flash to the device. You can unpack custom recoveries the same way as you unpacked boot.img to make them use your custom kernel.
Kernel configurations tried
CONFIG_SECURITY=n - boot loop
CONFIG_SECURITY_SELINUX=n - boot loop
CONFIG_SECURITY_DEFEX=n - works
CONFIG_DM_VERITY=n - works, does not prevent initramfs from using DM-VERITY, you still need some sort of ramdisk hack to disable verification of the next boot phase after initrd.
Often when editing the defconfig files, the same variables are declared in many different files so you might be better off using "sed' to change the variables, example:
$ grep -lr "CONFIG_SECURITY=y" | while read line; do sed -i 's/CONFIG_SECURITY=y/CONFIG_SECURITY=n/g' $line; done
When running "build_kernel.sh build", it will print "configuration written to .config" so verify that the variable was actually changed in the final config /workspace/build/.config
kapmino269 said:
and I think ,They aren't kernel see
Click to expand...
Click to collapse
No that is the latest kernel source code running on the latest firmware. You can use either of those 2 downloads from opensource.samsung.com
kapmino269 said:
it isn't working .
Click to expand...
Click to collapse
The kernel source code is on the Samsung opensource website.... there are two versions one that is MEA ( for Middle East and Africa roms) and the other one for SWA. It works if compiled properly
kapmino269 said:
ok
i have questions loop device depend on kernel and if it is .
How to add support?
Click to expand...
Click to collapse
It seems it depends on the kernel support but I haven't actually tried messing around that stuff
kapmino269 said:
it isn't working .
Click to expand...
Click to collapse
You need to install gcc, python and make before you run the command bash build_kernel.sh build
sudo apt install gcc make python
kapmino269 said:
I knew steps man I used Ubuntu for 2 years without windows .
thank you .
Click to expand...
Click to collapse
Do you tried make mrproper and make clean before you run build_kernel.sh?
kapmino269 said:
ok
i have questions loop device depend on kernel and if it is .
How to add support?
Click to expand...
Click to collapse
Type "make xconfig" in the kernel directory, and a window will open for configuring the .config file in that same directory.
Search for "Loopback device support" and add a checkmark (not a dot, so that the module is built into the kernel.)
kapmino269 said:
it isn't working .
Click to expand...
Click to collapse
Can you please provide a log or something? It sounds like you are missing dependencies in your operating system for building kernels.
how do you flash the new boot.img with a samsung device?
kapmino269 said:
By twrp
Click to expand...
Click to collapse
Thanks!!
I ended up using https://forum.xda-developers.com/showthread.php?t=2446269 which is pretty easy as well.
I am now stuck on how to enable wifi after flashing a different kernal.
Kernal = samsung opensource
Rom = nouget 7.1.1 (different to opensource kernal)
Any suggestions?
heavy load said:
Thanks!!
I ended up using https://forum.xda-developers.com/showthread.php?t=2446269 which is pretty easy as well.
I am now stuck on how to enable wifi after flashing a different kernal.
Kernal = samsung opensource
Rom = nouget 7.1.1 (different to opensource kernal)
Any suggestions?
Click to expand...
Click to collapse
Install the Magisk module LIBSECURE_STORAGE COMPANION
ashyx said:
Install the Magisk module LIBSECURE_STORAGE COMPANION
Click to expand...
Click to collapse
Thanks Ashyx, I had a play with your kernal on github, nice work there!
I ended up downloading a stock rom matching the samsung opensource kernal build number, worked out of the box.
kapmino269 said:
See that :
@ashyx any help
I NEED TO ADD SOME MODULES.
Click to expand...
Click to collapse
It's telling you the path to the defconfig doesn't exist.
Either the name is wrong or it doesn't exist in the config directory.
kapmino269 said:
This, I solved it yesterday, Thanks .
But I have 2 problems :
1- Device is arm and at bulid_kernel.sh tell me to use toolchain arch64 ,
Which I should Use arm or arm64 ,
I confused as cpu is arm64 .
https://www.qualcomm.com/products/snapdragon/processors/425
Or
Ndk
https://developer.android.com/ndk/downloads/index.html
2- Which command I should write after menuconfig
./build_kernel.sh
Or
make -jX .
Click to expand...
Click to collapse
Just use whichever is in the build script.
You will need to add menuconfig to build_kernel.sh before make or your changes will be lost.
Then run build_kernel.sh
kapmino269 said:
@ashyx ,all is ok .
The error from clang and there is 2 config files .
Fixed and I will test kernel but I have problem when compiling I choose lz4 type ,do U see I should choose another .
Also where is zimage now ,i compiled manually not with build_kernel.sh .
Click to expand...
Click to collapse
You don't need the export arguments which are contradictory anyway, as you have already defined your toolchain and architecture before hand.
Also the boot image does not need to be lz4. The compiler will tell you where the finished zImage is when completed. You should find it in the boot directory of the arm64 directory if you are not using OUT_DIR statements.
kapmino269 said:
Sorry ashyx this is last thing ,
-You told me later that device is arm not arm64 .
In Your twrp thread .
-Also defconfig of device in /arch/arm .
-Arch=arm in build_kernel.sh .
-Gsi system armaonly only work on the device .
-All apps told that device is arm .
I confused ,
Please tell that it is right to use arm64 tool chain .
Or How did U build it ?
By arm64 toolchain or arm toolchain ?
Very Thank U .
Click to expand...
Click to collapse
I was just going by the screen shot you posted. Like I said your commands are contradictory.
You have both arm and arm64 toolchains defined in the same script.
You also have an export statement for arm64 directly under a statement for an arm toolchain.
Not sure why you added both?
As far as I can see the architecture you're compiling for is arm, so you need an arm toolchain.
kapmino269 said:
It contains errors
Click to expand...
Click to collapse
This is the script I use.
You will need to modify the path to your toolchain.
can i use the source code to build kernel for android 10 one ui if the source built for mm