Related
Hello
I treat this thread as DEVELOPMENT focused, so please keep non-technical questions and all the excitement aside and use it strictly for the technical discussion.
As most of you have been able to witness, FOTA seems the right track for bypassing bada bootloader security.
During the Android porting we have found ourselves in the situation where we developed a fairly simple asm code for the purpose of loading and booting Android.
A successful attempt has some important limitations, though. One major is strict dependency from the bada bootloader level 3 (BL3) that we used to interact with the hardware for us and provide filesystem abstraction. I feel that main reason for that happening was coming directly from what was the biggest advantage in the beginning - simplicity of building crafted FOTA module from asm.
Since the time I've made the discovery of the FOTA vulnerability (as described initially here) and after I provided sample framework for building crafted FOTA file for fasmarm (see here) only b.kubica and Rebellos took over and made it into the FOTA booting Android. That approach required installing specific bootloader version in the phone and used patched I9000 secondary bootloader (SBL), as we needed it to correctly initialize the display for the kernel.
The first attempt to make it more universal was proposed, but it still only introduced additional abstraction layer for BL3 calls and was using the very same assembler framework.
I'd like to change something again and therefore, I've scratched a new framework for building FOTA. This time, it is using a proper gcc toolchain and quickly jumps a level higher in abstraction - into C/C++ code. Linker scripts provide abstraction for building the right FOTA file headers and footers for:
- S8500 running bada 1.x
- S8500 running bada 2.x
- S8530 running bada 1.x
- S8530 running bada 2.x
All four targets are built from same source files with a single 'make'. I tested all that by writing FLOCK (that still is BL3 dependent but written in C).
In my opinion, it should allow us to get into development of the modules handling hardware, filesystem, etc. by ourselves (or simply building that from external source codes handling that) resulting in full independence from version of the bootloader installed.
Now we get to the right question - do you have suggestions as for what opensource bootloader project we should integrate into FOTA? I've done a proof-of-concept integration of u-boot and it compiles flawlessly (of course, getting it to run is whole other story as there's lots of low-level initialization procedures to be rewritten). Please answer with some supporting arguments as it's not voting and would prefer a discussion and picking the right solution.
The second thing - is there anybody with the know-how and interest in this development? I'd like to share the code and support it only in some spare time, so it would be perfect if somebody took it over.
Again, please keep this thread clean - strictly technical discussion here.
Regards,
mijoma
b.kubica has awesome demonstrate with bTerm and unsecdload.fota:
- dump NAND for Backup or study...
- bypass apps_compressed.bin Integrety check.
It would be nice, if this could be combined and/or port for S8530 too.
I wished I could dump with bTerm also in bada 2.0.
I saw only Rebellos did something with bTerm...
Also I miss Upload to...
http://forum.xda-developers.com/showthread.php?t=1176189
Thanx in advance.
Best Regards
One of the logical alternatives for uBoot is Qi from OpenMoko, it is much more simple, but that brings more limitations. And I haven't seen S5PC110 support in there. So some S3C cpu driver would need to be updated.
http://wiki.openmoko.org/wiki/Qi
Also leaked Loke for Spica could be used - it has got also S3C drivers (S5P~~is only abit updated S3C arch) already done for S3C64xx, so the cpu-driver the same as above.
Writing bootloader from scratch is rather pointless and I'd anyway use uBoot for that project - there already exists fully working sources for Odroid, that is Hummingbird based. But not much more we can do than hope some dev suddenly pop out of nowhere and join the project.
OK.
It's been a while and there has not been any activity around.
My time availability is completely not there as well. The least I can do is to upload something I had started months ago and never continued.
Maybe somebody experimenting with FOTA can use it at some point, maybe not.
In the attachment there's a project to be built using gcc toolchain (I used the one from bada SDK). It's rather simple but it already implements some of the lowest level stuff so the entry point is in C already and produces all 4 platforms (S8500 bada 1.x, S8500 bada 2.x, S8530 bada 1.x, S8530 bada 2.x) in one go.
I don't say it's an easy go from now, but you can use it however you wish and I hope it may be of some help at some point.
Best Regards,
mijoma
Please.
Maybe mijoma or Rebellos could answer.
1.
Oleg_K replaced bada boot_loader.mbn in OneNAND...
If correct, how he was able to use other Boot?
I was never able to write Original Boot of my own choice with RIFF (JTAG)...
2.
As test device for Bootloader action I think S8000 Jet is perfect...
- cheap on Ebay...
- "similar" to S8500 but much less secured...
Maybe if Devs have S8000 for training...
Maybe this could little bit increase progress... about Bootloader functions... and or MODEM AMSS...
3.
It seems with CMM Script and JTAG (100% confirmed) it is possible to disable some of Bootloader Security... also few Commands (idea)... maybe...
Code:
UnlockSecBoot
PrtSecBoot
http://forum.xda-developers.com/showpost.php?p=32611984&postcount=59
Maybe with FOTA it is possible to disable complete Boot Security and then remove/replace Boot by something else...
In my case I "need" XXJB6 bada complete... So XXJB6 Boot one day on my S8500 would be nice to see... :angel:
Best Regards
adfree said:
1.
Oleg_K replaced bada boot_loader.mbn in OneNAND...
If correct, how he was able to use other Boot?
I was never able to write Original Boot of my own choice with RIFF (JTAG)...
Click to expand...
Click to collapse
It is possible to replace the whole bootloader chain. Rebellos looked at the options and it comes out that depending on the data in the iRAM each bootloader stage will perform or not a verification of the next bootloader stage.
The bootloader that is used by Unbrickable Mod for our processor (used by Odroid project originally) is braking the chain of trust and this is the possibility to write whatever.
adfree said:
2.
As test device for Bootloader action I think S8000 Jet is perfect...
- cheap on Ebay...
- "similar" to S8500 but much less secured...
Maybe if Devs have S8000 for training...
Maybe this could little bit increase progress... about Bootloader functions... and or MODEM AMSS...
Click to expand...
Click to collapse
You should forget about S8000. It helps us in no way and there's no compatibility between the devices.
adfree said:
3.
It seems with CMM Script and JTAG (100% confirmed) it is possible to disable some of Bootloader Security... also few Commands (idea)... maybe...
Code:
UnlockSecBoot
PrtSecBoot
http://forum.xda-developers.com/showpost.php?p=32611984&postcount=59
Maybe with FOTA it is possible to disable complete Boot Security and then remove/replace Boot by something else...
In my case I "need" XXJB6 bada complete... So XXJB6 Boot one day on my S8500 would be nice to see... :angel:
Click to expand...
Click to collapse
It is possible to disable security with JTAG but work will focus on the development platform that does not require JTAG. It will most probably allow using other bootloaders, but XXJB6 is nothing really special. I would rather like to see something (u-boot based possibly) being able to flash bada and android to OneNAND (not moviNAND as current) and run both without the security
Rebellos checked the partition map and it may be even possible to fit both systems into OneNAND if there wouldn't be FOTA installed.
FOTA may be used at the beginning of the process as there's no better place to start with diagnostics, modifications to memory, flashing of unsecure components and so.
S8600XXKL1_S8600OXCKL3_TPH
S8600JVKK4_S8600XFVKK1_XFV
S8600DXLD1_S8600OLBKK6_XXV
S8600DXLD1_S8600OLBKK6_XME
S8600JVKK4_S8600OJVKK2_XFE
S8600DXKK6_S8600OLBKK6_XSP
S8600DXLD1_S8600OLBKK6_XEV
S8600DXLD1_S8600OLBKK6_XTC
S8600XXKK7_S8600OXEKL1_VHC
S8600XXLD1_S8600OXDLD2_XSK
S8600XXLD1_S8600OXDLD2_XEH
S8600XXLA1_S8600OXDLA1_VDC
S8600BOKK6_S8600TMZKK6_TMZ
S8600JPLB1_S8600OJPLB1_TMC
S8600DXLD1_S8600OLBKK6_THL
S8600XXLD1_S8600OXDLD2_XEZ
S8600JPKL1_S8600OJPKK3_AFG
S8600XXKK7_S8600OXFKL1_SEB
S8600XXLD1_S8600OXELD1_SKZ
S8600XXKK7_S8600OXEKK5_SEK
S8600XXKK7_S8600OXCKK1_PHE
S8600JPLD1_S8600OJPLB1_THR
S8600XXLD1_S8600OXELD1_MTS
S8600AELE1_S8600SFRLE1_SFR
S8600XXKK7_S8600OXFKK7_MTL
S8600JPKL1_S8600OJPKK3_PAK
S8600JPLD1_S8600OJPLB1_MWD
S8600XXLC3_S8600PRTLC4_PRT
S8600XXLA1_S8600OXBLA1_NEE
S8600JPLA1_S8600OJPKK3_MID
S8600JPKL1_S8600OJPKK3_JED
S8600JPKL1_S8600OJPKK3_KSA
S8600FRLE1_S8600LPMLE1_LPM
S8600XXLD1_S8600OXELD1_KCL
S8600XXLD1_S8600ITVLD2_ITV
S8600BVLD2_S8600FTMLD2_FTM
S8600JPKL1_S8600OJPKK3_BTC
S8600JPKL1_S8600OJPKK3_EGY
S8600JVKK4_S8600OJVKK2_AFR
S8600XWLD2_S8600OXGLD1_ATO
S8600JPKL1_S8600OJPKK3_ABS
S8600NAKL1_S8600EPLKL1_EPL
S8600XXLC3_S8600OXFLD1_COA
S8600XWLD2_S8600OXGLD1_BSE
Maybe luck and ELF files in 1 package...
Best Regards
ELF can be only Operator firmwares (If it has).Because mostly it is been on operator firmwares
If I have enough space on HDD,I'll check all
how to flash?
hi, i dont get it how to flash android onto wave 1. And i cant find a download link Can anyone help me? I downloaded Odin but I cant do anything with it. Can anyone write a short tutorial for that? Sorry, i gave up already to find it out myself.
Thanks,
hacker
Wave 525
Can you create fotabootloader for wave 525 ? is it possible?
By_KeReMM said:
Can you create fotabootloader for wave 525 ? is it possible?
Click to expand...
Click to collapse
Most likely no.
Rebellos said:
Most likely no.
Click to expand...
Click to collapse
ok.
wave 575 bada 2.0 port wave 525? most likely yes. because same drivers. my friends wave 723 bada 2 firmware ported wave525 but phone always restart. all low wave phones same boot files. i tested it. is you port bada 2 files for wave 525? i test it.
Sorry ,bad my english
Theory! If we change in 575's bootfiles phone model to 525 then you'll chance
But You'll brick your handset
hero355 said:
Theory! If we change in 575's bootfiles phone model to 525 then you'll chance
But You'll brick your handset
Click to expand...
Click to collapse
No Theory. Real! i tested all boot files for low waves in my phone. Worked! but wave 533 boot files bricked my handset
it is Possible! Coming Soon! Next Summer! i will work this subject.
@ By_KeReMM
Check this out:
http://forum.xda-developers.com/showthread.php?t=1325713
Maybe search Internet for existing ELF files for Broadcom...
BCM21331.elf & CORBY_WEBKIT.elf
Click to expand...
Click to collapse
Maybe this help...
Best Regards
adfree said:
@ By_KeReMM
Check this out:
http://forum.xda-developers.com/showthread.php?t=1325713
Maybe search Internet for existing ELF files for Broadcom...
Maybe this help...
Best Regards
Click to expand...
Click to collapse
i dont understand but i checked this.
is 7230 and 7230E same phones? 2 links not work "No Torrents Found".
if port boot files and apps_c... , i Ported all fw files. i'll test it. all files work! but apps_c... not extract
Sorry , Bad English.
10 years later...
After reading little bit... and after Editing 2 files...
I was able to compile demo sources... :good:
http://forum.xda-developers.com/showpost.php?p=34856402&postcount=4
make.cmd and Makefile
Edited to correct path to my installed bada SDK.
So it is easy...
1 click compiling... after start make.cmd.
Now I play little bit...
Thank you mijoma.
Best Regards
---------- Post added at 02:11 AM ---------- Previous post was at 01:46 AM ----------
Lesson 1.1
Inspired by Tigrouzen nandbootsd.fota ASCII Pic... :good:
Thanx.
Open with Text Editor
FOTA.c
Code:
[B]disp_FOTA_Printf[/B]("| Author: mijoma |");
Now you can try text or ASCII Pics...
Later I will write how many lines max. possible...
Best Regards
---------- Post added at 02:36 AM ---------- Previous post was at 02:11 AM ----------
Code:
#include <string.h>
#include <stdarg.h>
#include "BL3.h"
int main(void)
{
//here we start the real deal :)
int mmuctrl = MemMMUCacheEnable(gMMUL1PageTable, 1);
disp_FOTA_[B]Init[/B]();
disp_FOTA_Printf("*----------------------------*");
disp_FOTA_Printf("| FOTA TESTLOADER |");
disp_FOTA_Printf("*----------------------------*");
disp_FOTA_Printf("| Author: mijoma |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("| |");
disp_FOTA_Printf("*----------------------------*");
disp_FOTA_Printf("");
//.... Your code here...
//loop infinitevely
while(1);
return 0;
}
Here you can see maximal visible lines for output of text...
I can count 24 lines... tested on S8500.
Best Regards
P.S.:
IMPORTANT!!!
Remember if you play with BOOT or FOTA or whatever on your handset...
ALL at YOUR own risk!
Edit 1.
It seems each line can have 30 Characters...
So 30 x 24 = 720
@adfree:
So... does it work? I'm not sure if we ever tested it. ;D
So... does it work? I'm not sure if we ever tested it.
Click to expand...
Click to collapse
Yes, I can see text Output on my S8500 (XXLA1). :good:
Later I will try if S8530 also would work...
No idea... is M210S confirmed meanwhile ? Not sure if S8530 FOTA would work in M210S Firmware...
I could later try with S8500... and M210S Firmware...
Best Regards
adfree said:
Yes, I can see text Output on my S8500 (XXLA1). :good:
Later I will try if S8530 also would work...
No idea... is M210S confirmed meanwhile ? Not sure if S8530 FOTA would work in M210S Firmware...
I could later try with S8500... and M210S Firmware...
Best Regards
Click to expand...
Click to collapse
Truely its mine "ascii" in fota and we made it (With T) in .asm and Fasm compiler but i cant get working this.I tested this no output no boot but it can boot only bada . Mine bootloader is kk5
Thought I should share a little tool I wrote.
Abstract:
Changes Windows CE's backlight level on the fly, no warm boot required. It's a command line utility without an UI.
Requirements:
CE device with ARM processor.
Usage:
CeSetBacklightLevel.exe <intensity>
Example: CeSetBackLightLevel 100
MortScript example: Run("CeSetBackLightLevel.exe",100)
Download:
Source code and executable are attached to this post.
HTH
nice, could this with a mort script be used to set back-light according to the hour of the day ?
undergroundcugir said:
nice, could this with a mort script be used to set back-light according to the hour of the day ?
Click to expand...
Click to collapse
That exactly was the reason I made this tool.
jwoegerbauer said:
That exactly was the reason I made this tool.
Click to expand...
Click to collapse
can you help me make a loop in mortscript to check the time of the device and compare it to a look-up table that has the intensity of the screen for some periods of time ?
undergroundcugir said:
can you help me make a loop in mortscript to check the time of the device and compare it to a look-up table that has the intensity of the screen for some periods of time ?
Click to expand...
Click to collapse
In Windows CE we can't use Mortscript's RunAt command.
Perhaps somewhat like this:
Code:
If (FileExists("\Windows\CeSetBacklightLevel.exe"))
If(RegKeyExists("HKCU","ControlPanel\Backlight\Brightness")||RegKeyExists("HKCU","ControlPanel\Backlight\Backlightlevel"))
PollInterval = 1000 * 60 * 10 // 10 minutes
StartTime = 630 // 6:30AM
EndTime = 2130 // 9:30PM
WantedBacklightLevel = 100 // Hex: 64
While(1)
CurrentHour = 0
CurrentMinute = 0
CurrentSecond = 0
CurrentDay = 0
CurrentMonth = 0
CurrentYear = 0
GetTime ( CurrentHour, CurrentMinute, CurrentSecond, CurrentDay, CurrentMonth, CurrentYear )
TheTime = CurrentHour * 100 + CurrentMinute
If ((TheTime >= StartTime) && (TheTime <= EndTime))
CurrentBacklightLevel = -1
If( RegKeyExists("HKCU","ControlPanel\Backlight\Brightness"))
CurrentBacklightLevel = 0 + RegRead("HKCU","ControlPanel\Backlight\Brightness)
ElseIf( RegKeyExists("HKCU","ControlPanel\Backlight\Backlightlevel"))
CurrentBacklightLevel = 0 + RegRead("HKCU","ControlPanel\Backlight\Backlightlevel")
EndIf
If(CurrentBacklightLevel >= 0)
If (CurrentBacklightLevel <> WantedBacklightLevel)
Run ("\Windows\CeSetBacklightLevel.exe", WantedBacklightLevel)
EndIf
Else
// error occurred
Exit
EndIf
EndIf
Sleep(PollInterval)
EndWhile
EndIf
EndIf
I haven't had the oportunity to test it on my 2din. Has anyone tested the code ?
Sent from my V1_Viper using xda app-developers app
Hi there,
should this tool work on Becker TA 7827?
Hi, could someone tell me how to compile the C code jwoegerbauer published?. I have Visual Studio 2008 Pro, but do not know how to get an WinCE .exe.
I want to make some changes, because this utility does not work for me. My unit is a GPS Car, WinCE 6.0 NWD_308 Nowada Board, and I have problems with brightness. This:
http://www.seicane.com/bmw-5-series-e60-gps-navigation-with-radio-bluetooth-ipod-srd-8808
Thank you.
Nice, hope will get an .exe
@jwoegerbauer did you implement the loop in miopocket lite ?
Sent from my V1_Viper using XDA Free mobile app
akatarmo said:
Hi, could someone tell me how to compile the C code jwoegerbauer published?. I have Visual Studio 2008 Pro, but do not know how to get an WinCE .exe.
I want to make some changes, because this utility does not work for me. My unit is a GPS Car, WinCE 6.0 NWD_308 Nowada Board, and I have problems with brightness. This:
http://www.seicane.com/bmw-5-series-e60-gps-navigation-with-radio-bluetooth-ipod-srd-8808
Thank you.
Click to expand...
Click to collapse
As compiler I use Pelles C - it's freeware. Supports compiling native C-code for ARM devices.
undergroundcugir said:
Nice, hope will get an .exe
@jwoegerbauer did you implement the loop in miopocket lite ?
Sent from my V1_Viper using XDA Free mobile app
Click to expand...
Click to collapse
1.
You know that you can't compile a MortScript script into an executable? If you really need an executable, then you have to re-write the code sample shown earlier in 'C' or any other suitable programming language a compiler exists for.
2.
Don't use Miopocket Lite, hence not tested so far. BTW: Some time ago I've written MioPocket 4.0 Mini FV and published here:
https://code.google.com/p/miopocket-mini-40-fv/
Hi, jwoegerbauer.
Thanks for the info. I now have installed Pelles C and I can compile simple things. Abusing your kindness, could you tell me what program lines I need to write to generate a beep? I think MessageBeep, but the compiler takes Error
I am a newbie and I want to check your code to see why it does not work exactly in my unit.
Thanks again !!!
--
Antonio
There are a number of functions from the Standard C Runtime libraries missing under Windows CE.
But, MessageBeep API function should be present.
http://msdn.microsoft.com/en-us/library/aa930642.aspx
Thanks again, jwoegerbauer. With your help I made my first program in C (for Windows CE). Instead of the classic "Hello World", I made a Beep. This can be useful to use as debug semaphore. This is the code, for compile with Pelles C in WinCE Pocket PC Mode:
#include <windows.h>
int PASCAL WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpszCmdLine, int nCmdShow)
{
MessageBeep(MB_OK);
return 0;
}
I used the MessageBeep in your code.
HANDLE hBL=CreateEvent(NULL,FALSE,FALSE,L"BackLightChangeEvent");
if(hBL)
{
MessageBeep(MB_OK);
SetEvent(hBL);
CloseHandle(hBL);
retVal=1;
}
And really, the program executes the SetEvent (HBL). But does not work on my GPS car WinCE 6 .
---------- Post added at 09:00 PM ---------- Previous post was at 08:47 PM ----------
A question, jwoegerbauer.
I tried downloading your MioPocket Mini 4.0 FV from here: https://miopocketmini40fv.codeplex.com/releases
But the project is empty. Can you tell me where to I can download it (or send me by email), I have interest in trying it.
Thanks.
akatarmo said:
---------- Post added at 09:00 PM ---------- Previous post was at 08:47 PM ----------
A question, jwoegerbauer.
I tried downloading your MioPocket Mini 4.0 FV from here: https://miopocketmini40fv.codeplex.com/releases
But the project is empty. Can you tell me where to I can download it (or send me by email), I have interest in trying it.
Thanks.
Click to expand...
Click to collapse
Correct link: https://miopocketmini40fv.codeplex.com/releases/view/110660
Sorry for your inconvenience.
------------------------------
Please do NOT use current thread to discuss MioPocket Mini 4.0 FV. If necessary, use this thread instead of:
http://www.gpspassion.com/forumsen/topic.asp?TOPIC_ID=132727
Thanks.
I'm looking for a similar program, but for the MIPS processor, discussed this?
To be continued
Sounds promising =D
Sorry I am unable to find working stock kernel source code, one from http://dl-developer.sonymobile.com/code/copylefts/6.2.A.1.100.tar.bz2 fail to compile at start, so I can not continue, no want to waste my time fixing it since I need excatly the same kernel source which will produce excatly the same binary - stock kernel, probably that will not be happen since sony public source is broken so I can not produce the same binary + later: new modules needed for kexec, sorry guys I stopping now. Our soc going to iritate me a lot
I can just compile it.
Using doomlords prebuilt toolchain
Sent from my C2 using xda app-developers app
nickholtus said:
I can just compile it.
Using doomlords prebuilt toolchain
Sent from my C2 using xda app-developers app
Click to expand...
Click to collapse
Did you tried latest Sony archive? I dont know why but when I "make defconfig" and than do "make" compilation asking me for a lot of defconfig related things - chooses, seems archive from Sony is corupted? Tried riogrande**defconfig, tried allso defconfig which I using, no one working. There asking me for x86 things which is ...no logic
If some one have locked bootloader and have "unlock allowed - no", please give me TA backup! To get TA backup simple install http://www.flashtool.net/download.php and do:
1. install it
2. run it
3. click file menu -> switch to pro
4. click to adwance menu -> trim area -> s1 -> backup
5. post your dump here
Thanks!
You can find many TA backups here.
Gesendet von meinem Xperia S mit Tapatalk
djolivier said:
You can find many TA backups here.
Gesendet von meinem Xperia S mit Tapatalk
Click to expand...
Click to collapse
Missin inposible with ta http://forum.xda-developers.com/showpost.php?p=49958520&postcount=687 only maybe kexec can do a job
Maybe hashcode could help for kexec on locked bootloader. He seems to make it work on several locked device(motorola,latest samsung).
munjeni said:
Sorry I am unable to find working stock kernel source code, one from http://dl-developer.sonymobile.com/code/copylefts/6.2.A.1.100.tar.bz2 fail to compile at start, so I can not continue, no want to waste my time fixing it since I need excatly the same kernel source which will produce excatly the same binary - stock kernel, probably that will not be happen since sony public source is broken so I can not produce the same binary + later: new modules needed for kexec, sorry guys I stopping now. Our soc going to iritate me a lot
Click to expand...
Click to collapse
Sir, I can confirm that its compiling. [TOOLCHAIN- arm-eabi-4.4.3 ] without any changes made in Makefile for now. Which toolchain are you using?
Cheers,
AJ
@munjeni as of now,Xperia U tree and P tree are using ARM-EABI-4.4.3
You can git clone it from here --> www.github.com/Abhinav1997/arm-eabi-4.4-3 and push it over to prebuilts/gcc/linux-x86/arm
So,if you still get errors,modify the toolchain line to : "arm-eabi-4.4.3/bin/arm-eabi-"
Hope it helps
Abhinav2 said:
Sir, I can confirm that its compiling. [TOOLCHAIN- arm-eabi-4.4.3 ] without any changes made in Makefile for now. Which toolchain are you using?
Cheers,
AJ
Click to expand...
Click to collapse
Sorry my wrong :laugh: I executed by this way:
make ARCH=arm CROSS_COMPILE=/root/gitstvari/android_prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi- riogrande_lotus_defconfig
make
instead of
make ARCH=arm CROSS_COMPILE=/root/gitstvari/android_prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi- riogrande_lotus_defconfig
make ARCH=arm CROSS_COMPILE=/root/gitstvari/android_prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
Ok will continue.
Here is git https://github.com/munjeni/stock_jb_kexec_kernel_for_locked_bootloader/commits/master
lsmod
kexec_load 28179 0 - Live 0x00000000
procfs_rw 2435 0 - Live 0x00000000
Click to expand...
Click to collapse
status
[email protected]:/data/local/tmp # grep kexec_driver /dev/devices
grep kexec_driver /dev/devices
grep: /dev/devices: No such file or directory
2|[email protected]:/data/local/tmp # kexec --load zImage --initrd=initrd.gz --mem-m
in=0x3000000 --command-line="$(cat /proc/cmdline)"
initrd=initrd.gz --mem-min=0x3000000 --command-line="$(cat /proc/cmdline)" <
kernel: 0x401c7008 kernel_size: 35f1f8
kexec_load: entry = 0x3008000 flags = 280000
nr_segments = 3
segment[0].buf = 0xe75090
segment[0].bufsz = 210
segment[0].mem = 0x3001000
segment[0].memsz = 1000
segment[1].buf = 0x401c7008
segment[1].bufsz = 35f1f8
segment[1].mem = 0x3008000
segment[1].memsz = 360000
segment[2].buf = 0x40529008
segment[2].bufsz = 47e538
segment[2].mem = 0x3d7d000
segment[2].memsz = 47f000
kexec_load failed: Function not implemented
entry = 0x3008000 flags = 280000
nr_segments = 3
segment[0].buf = 0xe75090
segment[0].bufsz = 210
segment[0].mem = 0x3001000
segment[0].memsz = 1000
segment[1].buf = 0x401c7008
segment[1].bufsz = 35f1f8
segment[1].mem = 0x3008000
segment[1].memsz = 360000
segment[2].buf = 0x40529008
segment[2].bufsz = 47e538
segment[2].mem = 0x3d7d000
segment[2].memsz = 47f000
255|[email protected]:/data/local/tmp # cat /dev/kexec_driver
Click to expand...
Click to collapse
Progress:
[72371.535949] Kexec: KDS_entry : '3008000'
[72371.535980] Kexec: KDS_nr_segments : '3'
[72371.535980] Kexec: KDS_segment : '1afe8a8'
[72371.535980] Kexec: KDS_kexec_flags : '280004'
[72371.536010] Kexec: - Starting kexec_load...
[72371.599609] Kexec: - ---- kexec_load - result : '0'
[72392.445739] Kexec:-----------------------------------------------------
[72392.445800] Kexec: REBOOT DEVICE !!!
[72392.445953] Starting new kernel
[72392.446044] Bye!
Click to expand...
Click to collapse
Remaining thing is - need to reserve memory for storing hardboot atags, hope I can store them in the same memory like used on my kernel, if not than will investigate something
I wouldn't want to disturb devs working, but I think it would be interesting to follow this.
And btw, if you are still wondering about RCK_H, it's encrypted with unsalted SHA-256 hash
wan5xp said:
Maybe hashcode could help for kexec on locked bootloader. He seems to make it work on several locked device(motorola,latest samsung).
Click to expand...
Click to collapse
Who? Where?
mirhl said:
I wouldn't want to disturb devs working, but I think it would be interesting to follow this.
And btw, if you are still wondering about RCK_H, it's encrypted with unsalted SHA-256 hash
Click to expand...
Click to collapse
Probably some one found something and posted them, but post is deleted http://forum.xda-developers.com/show....php?t=1196932 why?
munjeni said:
Probably some one found something and posted them, but post is deleted http://forum.xda-developers.com/show....php?t=1196932 why?
Click to expand...
Click to collapse
your link was bad
but what posts should have been deleted? Can't see anything wrong
mirhl said:
your link was bad
but what posts should have been deleted? Can't see anything wrong
Click to expand...
Click to collapse
These is copy paste link, so I can not open broken link, tried to append 1196932 to the http://forum.xda-developers.com/newreply.php?do=newreply&p= but thats not link which pointing to the post related to the "arcievied unlock thing"... some one say that there is thread where some guys found unlock procedure for "unlock allowed = no", so I can not see these thread
Hi guys,
today I would like to present to you a simple project that was born on this thread to accomplish a very simple task: since there are thousand of Custom ROMs around here, so much of them are LineageOS based, and because of this their forced to build every time all the ROM and post updates here. Users are also forced to check if their preferred ROM was updated or not. That's why I decided to understand how LineageOS OTA Updater System App works. Because of this I've wrote a simple REST Server API emulation that fully works with your ROM (if integrated of course). How? Continue reading down here.
How does it work?
Of course is as simple as it should be. Clone the repo (is a simple PHP website that you can host on any shared hosting*/VPS that you like) and upload it into your preferred hosting. That's it. If you point your web browser to that address the App is already working.
After, you have to upload all your build to the _builds/ folder, and you're done.
The two already working calls /api and /api/v1/build/get_delta should answer correctly the updater app to make it work (remember that visiting it as a browser is not sufficent).
How to integrate it with my ROM?
You have two options:
- Declare cm.updater.uri on your own build.prop file with the value of you own server URL where you have deployed it (This can be done also by the user with any Android App from the Market)
- Replace the string conf_update_server_url_def value inside values.xml of the OTA App source code (COMPILE TIME ONLY!)
Which builds does it support?
Anything that will be borned by the official guide on how to build your custom LineageOS ROM! So, in poor words will be: stable, rcs, nightly and snapshots (likely called EXPERIMENTAL), from CM7 to CM14.
Delta updates SHOULD work too. Just try it and tell me if they works
How can I debug it?
You can use this simple UnitTest that I've already pushed into my GitHub. Feel free to use it everytime you need. It's based upon NodeJS and Unirest.
Is it free?
"Free software is a matter of liberty, not price. To understand the concept, you should think of free as in free speech, not as in free beer."
—Richard Stallman
Click to expand...
Click to collapse
Use it as you want, do anything you want with it as it's MIT licensed.
Is it free of bugs?
That's why I'm here Only you can help me to squash all the remaining bugs!
I hope this will be useful to anyone of you, helping the ROM community providing a simple OTA updater that already works on LineageOS official ROMs.
Greets.
---
Project Home: https://github.com/julianxhokaxhiu/LineageOTA
More about the study: http://blog.julianxhokaxhiu.com/how-the-cm-ota-server-works-and-how-to-implement-and-use-ours
Changelog Build Scripts ( thanks to @Deltadroid ): https://github.com/syphyr/cm_build_scripts/blob/master/make_changelog
* On a Shared Hosting you can ONLY provide a FULL ROM download, NOT DELTAs!
---
Donators:
- @BlueFlame4 x2
Hey, I'm having trouble using your docker image behind a Nginx https reverse proxy. The server is correctly answering the requests:
Code:
{
"id":null,
"response":[
{
"incremental":"",
"api_level":"",
"url":"http:\/\/MYDOMAIN\/\/builds\/full\/lineage-17.1-20200830-UNOFFICIAL-lavender.zip",
"timestamp":1598774045,
"md5sum":"718fb89f935b979edd57b2642234d1fa",
"changes":"",
"channel":"unofficial",
"filename":"lineage-17.1-20200830-UNOFFICIAL-lavender.zip",
"romtype":"unofficial",
"datetime":1598774045,
"version":"17.1",
"id":"50533a894b2ab0d9b2711444ca4f2b530a8ff2389723ea2bd7ada6e029599e2c",
"size":914450521
}
],
"error":null
}
But the returned `url` is http-only and the updater can't download it (throws error). WhenI try to curl it without `-L` I only get `301 Moved Permanently`. Only when I append `-L` I get the correct binary response over https. I'm pretty sure this is a redirecting issue.
Here's my Nginx config:
Code:
server{
server_name MYDOMAIN;
server_tokens off;
listen 80;
listen [::]:80 ipv6only=on;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
server_name MYDOMAIN;
server_tokens off;
listen 443 ssl http2;
listen [::]:443 ssl http2 ipv6only=on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:24087;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header Referrer-Policy same-origin;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-Xss-Protection "1; mode=block";
[...]
Any idea what I'm doing wrong?
Basically I want to know how to force the `url` response in the JSON to be `https` instead of `http`. (At least that's what I think is the reason for the updater not being able to download the image.)
Code:
08-30 16:00:19.407 7025 7025 D UpdaterController: Starting 50533a894b2ab0d9b2711444ca4f2b530a8ff2389723ea2bd7ada6e029599e2c
08-30 16:00:19.409 7025 7921 E HttpURLConnectionClient: Error downloading file
08-30 16:00:19.409 7025 7921 E HttpURLConnectionClient: java.io.IOException: Cleartext HTTP traffic to MYDOMAIN not permitted
08-30 16:00:19.409 7025 7921 E HttpURLConnectionClient: at com.android.okhttp.HttpHandler$CleartextURLFilter.checkURLPermitted(HttpHandler.java:124)
08-30 16:00:19.409 7025 7921 E HttpURLConnectionClient: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:462)
08-30 16:00:19.409 7025 7921 E HttpURLConnectionClient: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:131)
08-30 16:00:19.409 7025 7921 E HttpURLConnectionClient: at org.lineageos.updater.download.HttpURLConnectionClient$DownloadThread.run(HttpURLConnectionClient.java:250)
08-30 16:00:19.409 7025 7921 E UpdaterController: Download failed
EDIT: Solved!
Code:
location / {
proxy_pass http://127.0.0.1:24087;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
#proxy_set_header Host $host;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-NginX-Proxy true;
}
Not sure if this project is still supported, but with build.prop change, it just checks for updates forever on phone. When I try debugging with the UnitTest script, I get "Not Found The requested URL /CyanogenModOTA/api was not found on this server." (definitely server-related) I've gotten this working before on another VPS, so I'm wondering why it's not on my build server.
Are there any specific packages I need to install to get this working?
Here is my php config: http://hongbuild.ddns.net:81/test.php
klvnhng said:
Not sure if this project is still supported, but with build.prop change, it just checks for updates forever on phone. When I try debugging with the UnitTest script, I get "Not Found The requested URL /CyanogenModOTA/api was not found on this server." (definitely server-related) I've gotten this working before on another VPS, so I'm wondering why it's not on my build server.
Are there any specific packages I need to install to get this working?
Here is my php config: http://hongbuild.ddns.net:81/test.php
Click to expand...
Click to collapse
Since build.prop is in the system.new.dat file in lollipop builds, I just started copying it over from my build server and modified the Build.php file to look for the file instead of inside the zip. I just got this working on my web server. Only issue I'm having is related to change logs but I'm going to try and figure that one out later.
Here are the changes I did to get this working with CyanogenMod 12 (all changes will be assumed from the CyanogenModOTA directory):
- mkdir -p builds/buildprop <-- this is where you copy your build.prop from each build (they go in a folder with the same name as the build zip e.x. cm-12-20150103-NIGHTLY)
- mkdir -p builds/changelog <-- this will have your change logs (name them the same as the build zip except with a .txt extension)
- update setConfig( 'basePath', 'CyanogenModOTA' ) to setConfig( 'basePath', 'http://wfhome.net/CyanogenModOTA' ) in index.php (that is my server)
- change the Build constructor function to this (I updated the preg_match_all line, added the buildPropFolder variable, updated the $this->buildProp line, and changed the changeLogUrl line):
Code:
private $buildPropFolder = '';
public function __construct($fileName, $physicalPath) {
/*
$tokens Schema:
array(
1 => [CM VERSION] (ex. 10.1.x, 10.2, 11, etc.)
2 => [DATE OF BUILD] (ex. 20140130)
3 => [CHANNEL OF THE BUILD] (ex. RC, RC2, NIGHTLY, etc.)
4 => [MODEL] (ex. i9100, i9300, etc.)
)
*/
preg_match_all( '/cm-([0-9\.]+-)(\d+-)?([a-zA-Z0-9]+-)?([a-zA-Z0-9]+).zip/', $fileName, $tokens );
$tokens = $this->removeTrailingDashes( $tokens );
$this->filePath = $physicalPath . '/' . $fileName;
$this->buildPropFolder = str_replace('/full', '/buildprop', $physicalPath) . '/' . preg_replace('/\\.[^.\\s]{3,4}$/', '', $fileName);
$this->buildProp = explode( "\n", file_get_contents($this->buildPropFolder . '/build.prop') );
$this->channel = $this->_getChannel( str_replace( range( 0 , 9 ), '', $tokens[3] ) );
$this->filename = $fileName;
$this->url = $this->_getUrl( '', Flight::cfg()->get('buildsPath') );
$this->changelogUrl = str_replace('/full', '/changelog', $this->_getChangelogUrl());
$this->timestamp = filemtime( $this->filePath );
$this->incremental = $this->getBuildPropValue( 'ro.build.version.incremental' );
$this->apiLevel = $this->getBuildPropValue( 'ro.build.version.sdk' );
$this->model = $this->getBuildPropValue( 'ro.cm.device' );
}
Also he has memcached setup in there, so you might make sure you have memcache installed and set to run on startup on your server. You also need xdelta3 to create delta builds although, I don't think it is working ( I compiled the latest version of xdelta3 and it doesn't appear to do anything as there are not any files being created in the delta folder).
Hope that helps.
Thanks for the help (I'll definitely need it when I actually want to start USING the server), but it seems you've misunderstood me. Right now, I can't even get the rest server running properly-that's why I'm getting a 404 error.
Notice you get an output when you go to http://wfhome.net/CyanogenModOTA/api, I don't get anything!
klvnhng said:
Thanks for the help (I'll definitely need it when I actually want to start USING the server), but it seems you've misunderstood me. Right now, I can't even get the rest server running properly-that's why I'm getting a 404 error.
Notice you get an output when you go to http://wfhome.net/CyanogenModOTA/api, I don't get anything!
Click to expand...
Click to collapse
Ah sorry. First thing I see is that you need mod_rewrite installed in apache.
Code:
sudo a2enmod rewrite
sudo service apache2 restart
Need help with development
First I would like to thank you for using this product and playing with it (which involves patching, testing, etc.).
Since the first post I've made here in XDA the project evolved a little since I rewrote entirely the project to make it composer friendly. Rather than that, the Delta build process is actually non working (I tried to create a ZIP but I don't have enough knowledge in ROM development to tell if it's enough or not) so it's just a WIP layer that should be addressed and fixed (I've already found a Python project which does this already but I'm of the idea that this should be somehow not be a bloated software that needs to install binaries here and there to make it working).
So, actually I'm not really working in this project but It's in my TODO list, meanwhile I'll be very happy to have pull requests with useful patches to make this KK, LL and more compatible So feel free to contribute and thanks again for using it!
JulianXhokaxhiu said:
First I would like to thank you for using this product and playing with it (which involves patching, testing, etc.).
Since the first post I've made here in XDA the project evolved a little since I rewrote entirely the project to make it composer friendly. Rather than that, the Delta build process is actually non working (I tried to create a ZIP but I don't have enough knowledge in ROM development to tell if it's enough or not) so it's just a WIP layer that should be addressed and fixed (I've already found a Python project which does this already but I'm of the idea that this should be somehow not be a bloated software that needs to install binaries here and there to make it working).
So, actually I'm not really working in this project but It's in my TODO list, meanwhile I'll be very happy to have pull requests with useful patches to make this KK, LL and more compatible So feel free to contribute and thanks again for using it!
Click to expand...
Click to collapse
Thank YOU for making it! Really appreciate the time and effort you've put into this project.
rjwil1086 said:
Ah sorry. First thing I see is that you need mod_rewrite installed in apache.
Code:
sudo a2enmod rewrite
sudo service apache2 restart
Click to expand...
Click to collapse
That did it, thanks :good:
I've also implemented your changes, but when I check for updates on my phone, I still get "No new updates found". I've copied my new build over to builds/full, and the build.prop to builds/buildprop/cm*
rjwil1086 thank you very much for your help and suggestions, I made my own server http://paksman.ddns.net/cyanogenmodota, edited build.prop for cm updater to look for server url, made all the changes as you but I always get "No new updates found". Not sure if there is a problem with my server or with this project in general. Have you made any success to make this work?
I have it working. I'll upload mine to github tonight
Think I solved my own problem. My builds were all tagged as 'UNOFFICIAL'. When I changed this to 'NIGHTLY' (for the build and build.prop folder respectively ) they finally started to be recognised by cm updater app. JulianXhokaxhiu and rjwil1086, thank you so much for your effort,your work is being much appreciated.
Packsman said:
Think I solved my own problem. My builds were all tagged as 'UNOFFICIAL'. When I changed this to 'NIGHTLY' (for the build and build.prop folder respectively ) they finally started to be recognised by cm updater app. JulianXhokaxhiu and rjwil1086, thank you so much for your effort,your work is being much appreciated.
Click to expand...
Click to collapse
Yup. Sorry. I knew that but forgot to mention it. That's an issue with the CMUpdater app more than it is with the REST implementation. It doesn't look for unofficial files
Packsman said:
Think I solved my own problem. My builds were all tagged as 'UNOFFICIAL'. When I changed this to 'NIGHTLY' (for the build and build.prop folder respectively ) they finally started to be recognised by cm updater app. JulianXhokaxhiu and rjwil1086, thank you so much for your effort,your work is being much appreciated.
Click to expand...
Click to collapse
Awesome! This fixed it for me as well. Thanks to everyone for the help
[CyanogenMod][OTA][PHP] Open Source REST Server for you
Hi, I have been tested server code with a free host (000webhost) then accessed the web, I received messages:
Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/a5885282/public_html/index.php on line 27
Parse error: syntax error, unexpected T_STRING, expecting T_CONSTANT_ENCAPSED_STRING or '(' in /home/a5885282/public_html/index.php on line 27
The line 27 of index.php is "use \JX\CmOta\CmOta;". But I don't know about PHP. Please help me solve this issue.
@rjwil1086 , @klvnhng , @Packsman please help me to solve following error:
$ node index.js
<h1>500 Internal Server Error</h1><h3>Undefined offset: 0 (8)</h3><pre>#0 /var/www/CyanogenModOTA/src/Helpers/Build.php(214): flight\Engine->handleError(8, 'Undefined offse...', '/var/www/Cyanog...', 214, Array)
#1 /var/www/CyanogenModOTA/src/Helpers/Build.php(63): JX\CmOta\Helpers\Build->removeTrailingDashes(Array)
#2 /var/www/CyanogenModOTA/src/Helpers/Builds.php(115): JX\CmOta\Helpers\Build->__construct('cm-11-20140103-...', '/var/www/Cyanog...')
#3 /var/www/CyanogenModOTA/src/Helpers/Builds.php(49): JX\CmOta\Helpers\Builds->getBuilds()
#4 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Loader.php(123): JX\CmOta\Helpers\Builds->__construct()
#5 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Loader.php(80): flight\core\Loader->newInstance('\JX\CmOta\Helpe...', Array)
#6 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/Engine.php(69): flight\core\Loader->load('builds', true)
#7 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Dispatcher.php(191): flight\Engine->__call('builds', Array)
#8 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Dispatcher.php(191): flight\Engine->builds()
#9 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/Flight.php(43): flight\core\Dispatcher::invokeMethod(Array, Array)
#10 /var/www/CyanogenModOTA/src/CmOta.php(97): Flight::__callStatic('builds', Array)
#11 /var/www/CyanogenModOTA/src/CmOta.php(97): Flight::builds()
#12 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Dispatcher.php(160): JX\CmOta\{closure}()
#13 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Dispatcher.php(143): flight\core\Dispatcher::callFunction(Object(Closure), Array)
#14 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/Engine.php(310): flight\core\Dispatcher::execute(Object(Closure), Array)
#15 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Dispatcher.php(191): flight\Engine->_start()
#16 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Dispatcher.php(142): flight\core\Dispatcher::invokeMethod(Array, Array)
#17 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Dispatcher.php(48): flight\core\Dispatcher::execute(Array, Array)
#18 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/Engine.php(64): flight\core\Dispatcher->run('start', Array)
#19 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Dispatcher.php(191): flight\Engine->__call('start', Array)
#20 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/core/Dispatcher.php(191): flight\Engine->start()
#21 /var/www/CyanogenModOTA/vendor/mikecao/flight/flight/Flight.php(43): flight\core\Dispatcher::invokeMethod(Array, Array)
#22 /var/www/CyanogenModOTA/src/CmOta.php(80): Flight::__callStatic('start', Array)
#23 /var/www/CyanogenModOTA/src/CmOta.php(80): Flight::start()
#24 /var/www/CyanogenModOTA/index.php(35): JX\CmOta\CmOta->run()
#25 {main}</pre>
Thank you so much.
Thanks all, I fixed.
[CyanogenMod][OTA][PHP] Open Source REST Server for you
I have just creat susscess a server. Thanks.
But, now I want creat a update OTA app for other AOSP ( andoird L) and using that server which I have just creat.
Can I using CMupdater for it? Can you give me some suggest?
Hi, need help to understand!
First of all, i want to say Thank You! For this great job!
I installed server, activated mod rewrite in apache2, apt-get install memcached, made chown for all files to www-data in CyanogenModOTA directory
created directories builds/buildprop, builds/changelog
created file romname.txt in changelog
copied file rom archive to build/full directory
and when i open in browser my ota site: http ota.mydomain.com i see the dir listing as described above
when i try to open url http ota.mydomain.com/api - i see the 404 error.
what exactly i have to do as the next step?
is any json file missed in web root directory (in same place as index.php) ?
and I leave index.php almost unchanged (as in the repository) - just changed string: ->setConfig( 'basePath', '/' )
Thank You once again!
vvzar said:
First of all, i want to say Thank You! For this great job!
I installed server, activated mod rewrite in apache2, apt-get install memcached, made chown for all files to www-data in CyanogenModOTA directory
created directories builds/buildprop, builds/changelog
created file romname.txt in changelog
copied file rom archive to build/full directory
and when i open in browser my ota site: http ota.mydomain.com i see the dir listing as described above
when i try to open url http ota.mydomain.com/api - i see the 404 error.
what exactly i have to do as the next step?
is any json file missed in web root directory (in same place as index.php) ?
and I leave index.php almost unchanged (as in the repository) - just changed string: ->setConfig( 'basePath', '/' )
Thank You once again!
Click to expand...
Click to collapse
Are you sure that modrewrite is working? Can you share a working URL?
lingak said:
I have just creat susscess a server. Thanks.
But, now I want creat a update OTA app for other AOSP ( andoird L) and using that server which I have just creat.
Can I using CMupdater for it? Can you give me some suggest?
Click to expand...
Click to collapse
Honestly I don't know, we have to check if OTA app is the same in Lollipop and works of course the same. If so, we're already safe and yes it can work out of the box. If not, we have to fix it. If you already have a working example, feel free to do a pull request
JulianXhokaxhiu said:
Are you sure that modrewrite is working? Can you share a working URL?
[email protected]:/home/user# a2enmod rewrite
Module rewrite already enabled
[email protected]:/home/user#
.htaccess:
[email protected]:/home/user# cat /var/www/html/CyanogenModOTA/.htaccess
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [QSA,L]
[email protected]:/home/user#
Is any other rules i have to check?
What about statement <Directory /var/www/html/CyanogenModOTA> ?
Is enouph AllowOverride All and Allow from all ?
test url : http ota.smylink.org
Click to expand...
Click to collapse
vvzar said:
JulianXhokaxhiu said:
Are you sure that modrewrite is working? Can you share a working URL?
[email protected]:/home/user# a2enmod rewrite
Module rewrite already enabled
[email protected]:/home/user#
.htaccess:
[email protected]:/home/user# cat /var/www/html/CyanogenModOTA/.htaccess
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [QSA,L]
[email protected]:/home/user#
Is any other rules i have to check?
What about statement <Directory /var/www/html/CyanogenModOTA> ?
Is enouph AllowOverride All and Allow from all ?
test url : http ota.smylink.org
Click to expand...
Click to collapse
Technically it should be enough but the order of where you placed it is important too.
Anyway, going to your URL is just making me think that the PHP code is running well (the redirect to builds folder is triggered by CMOTA Rest Code). You're just missing the htaccess rules.
I'm quite sure you just have to figure out your own server setup to understand if mod_rewrite is properly working (allowing htaccess files to be read and parsed).
Click to expand...
Click to collapse
Recently I have reverse engineered aboot (emmc_appsboot.mbn) from ROM riva_images_V8.5.7.0.NCKCNED_20171025.0000.00_7.1_cn ( en.miui.com/thread-1026306-1-1.html )(because this is my first post and I don't have permission to post outside link, you have to add http in those url), and discovered a way to bypass bootloader lock by using several bugs in Xiaomi customized aboot.
Xiaomi's aboot is based on Qualcomm's little kernel which is open sourced and can be download at source.codeaurora.org/quic/le/kernel/lk/ , so I will use function name inside those source file in discussion below even though some of those function have been modified by Xiaomi.
Relevant function to verify and boot linux is boot_linux_from_mmc, so I'll start from here:
boot_linux_from_mmc: call boot_verifier_init()
boot_verifier_init: set device state to GREEN boot_linux_from_mmc: call verify_signed_bootimg()
verify_signed_bootimg: call boot_verify_image()
boot_verify_image: call read_der_message_length() to get length of signature
boot_verify_image: if length of signature is too large, then boot_verify_image will return false to indicate verification failure
boot_verify_image: otherwise call and return verification result of verify_image_with_sig(inlined)
verify_image_with_sig: set device state to RED if image is not signed by Xiaomi. verify_signed_bootimg: call splash_screen_mmc() to show "The system has been destroyed" if verification failed
verify_signed_bootimg: shoudown device if splash_screen_mmc() succeed, otherwise continue boot boot_linux_from_mmc: call send_rot_command()
send_rot_command: check device state, if it's YELLOW or RED, than boot will failed because it try to read embedded cert which is not initialized by Xiaomi
To successfully bypass bootloader lock we need:
1. make sure device state is GREEN so that send_rot_command won't failed, this can be achieved by making read_der_message_length return a large value to avoid calling verify_image_with_sig.
one way to do this is to append[NOTE1] image with a large length encoded in der (eg. 0x30, 0x83, 0x19, 0x89, 0x64)
2. make sure splash_screen_mmc() failed so that booting process can be continued.
this can be achieved by change the magic number in the header of splash partition from "SPLASH!!" to any other value (eg. "19890604")
Steps to bypass:
0 note that all those steps can be done offline, so no information will send to Xiaomi or anyone
0 in this tutorial I'll demonstrate how to use twrp recovery with locked bootloader
1 using test point to enter EDL mode(will void your warranty!!!)
2 unzip MiFlash, you should see QSaharaServer.exe and fh_loader.exe
3 create a sub folder called "tmp"
4 extract prog_emmc_firehose_8917_ddr.mbn & rawprogram0.xml & splash.img from riva_images_V8.5.7.0.NCKCNED_20171025.0000.00_7.1_cn and put them into "tmp"
5 append a 4k block which begins with 0x30, 0x83, 0x19, 0x89, 0x64 to twrp-3.2.1-0-riva.img then put the resulting file to "tmp" and rename it to "recovery.img"
6 change the first 8 byte in splash.img to "19890604"
7 create "hack_splash.xml" inside "tmp", then copy&paste relevant section from rawprogram0.xml to "hack_splash.xml", the resulting file should look like this:
Code:
<?xml version="1.0" ?>
<data>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="splash.img" label="splash" num_partition_sectors="40960" physical_partition_number="0" size_in_KB="20480.0" sparse="false" start_byte_hex="0x14000000" start_sector="655360" />
</data>
8 create "twrp.xml" inside "tmp", then copy&paste relevant recovery section from rawprogram0.xml to "twrp.xml", the resulting file should look like this:
Code:
<?xml version="1.0" ?>
<data>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery.img" label="recovery" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x1c200000" start_sector="921600" />
</data>
9 run "QSaharaServer.exe -p \\.\COM10 -s 13rog_emmc_firehose_8917_ddr.mbn -b tmp" to initialize firehose. (replace COM10 with the COM port of you phone, the same as below)
10 run "fh_loader.exe --search_path=tmp --port=\\.\COM10 --sendxml=hack_splash.xml" to flash modified splash
11 run "fh_loader.exe --search_path=tmp --port=\\.\COM10 --sendxml=twrp.xml" to flash twrp recovery
12 done
If you want flash custom ROM, you just need to append[NOTE1] boot.img
NOTE1: append should work in most case, but not always. the corrected place to write 0x30, 0x83, 0x19, 0x89, 0x64 is calculate from image header, it's defined as:
Code:
struct boot_img_hdr
{
unsigned char magic[BOOT_MAGIC_SIZE];
unsigned kernel_size; /* size in bytes */
unsigned kernel_addr; /* physical load addr */
unsigned ramdisk_size; /* size in bytes */
unsigned ramdisk_addr; /* physical load addr */
unsigned second_size; /* size in bytes */
unsigned second_addr; /* physical load addr */
unsigned tags_addr; /* physical addr for kernel tags */
unsigned page_size; /* flash page size we assume */
unsigned dt_size; /* device_tree in bytes */
unsigned unused; /* future expansion: should be 0 */
....
};
and then calculate:
Code:
if (hdr->page_size && (hdr->page_size != page_size)) {
page_size = hdr->page_size;
page_mask = page_size - 1;
}
kernel_actual = ROUND_TO_PAGE(hdr->kernel_size, page_mask);
ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
second_actual = ROUND_TO_PAGE(hdr->second_size, page_mask);
dt_size = hdr->dt_size;
dt_actual = ROUND_TO_PAGE(dt_size, page_mask);
imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual + dt_actual);
imagesize_actual is the place to write
NOTE2: There may be a easier way to enter EDL considering there are so many bug(eg. uninitialized stack variable, buffer overrun, missing bound check) in Xiaomi's modification, but I haven't bothered to check since my goal is achieved.
NOTE3: I suspect other model from Xiaomi may have similar bugs that bootloader lock can be bypassed using this method, but I don't have other phones to confirm my belief.
xaacnz said:
Xiaomi's aboot is based on Qualcomm's little kernel which is open sourced and can be download at source.codeaurora.org/kernel/lk/
Click to expand...
Click to collapse
Did you meant: source.codeaurora.org/quic/le/kernel/lk
abdihaikal said:
Did you meant: source.codeaurora.org/quic/le/kernel/lk
Click to expand...
Click to collapse
Yes, they must have removed the original url.
Code:
[email protected]:~/lk$ git remote show origin | head
* remote origin
Fetch URL: https://source.codeaurora.org/kernel/lk/
Push URL: https://source.codeaurora.org/kernel/lk/
HEAD branch (remote HEAD is ambiguous, may be one of the following):
aosp/master
github-kernel_lk/aosp/master
Remote branches:
APSS.FSM.3.0 tracked
APSS.FSM.3.0.r5.1.1 tracked
APSS.FSM.3.0.r6 tracked
Thank you for the method.
I tried ot and flashed TWRP only, but when I use it to flash custom ROMS, the device wont boot. It will show for a millisecond a picture of penguin and then goes off.
Any ideas??
Thanks
xaacnz said:
Recently I have reverse engineered aboot....
If you want flash custom ROM, you just need to append[NOTE1] boot.img
NOTE1: append should work in most case, but not always. the corrected place to write 0x30, 0x83, 0x19, 0x89, 0x64 is calculate from image header, it's defined as:.
Click to expand...
Click to collapse
You need to patch boot.img inside those ROMS by appending 4k block which begins with 0x30, 0x83, 0x19, 0x89, 0x64
utumno00 said:
Thank you for the method.
I tried ot and flashed TWRP only, but when I use it to flash custom ROMS, the device wont boot. It will show for a millisecond a picture of penguin and then goes off.
Any ideas??
Thanks
Click to expand...
Click to collapse
I am amazed and I dont know how to tell that I thank you. Can you help me? I patch and i flash what?
xaacnz said:
You need to patch boot.img inside those ROMS by appending 4k block which begins with 0x30, 0x83, 0x19, 0x89, 0x64
Click to expand...
Click to collapse
Let's say you want flash https://forum.xda-developers.com/android/development/rom-crdroid-v3-8-5-redmi-5a-t3752066
1 download crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
2 extract boot.img from crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
3 patch the extracted boot.img just like what you did with twrp-3.2.1-0-riva.img
4 put the patched boot.img back in crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
5 flash the modified crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
utumno00 said:
I am amazed and I dont know how to tell that I thank you. Can you help me? I patch and i flash what?
Click to expand...
Click to collapse
Success!!
I tried with Viper ROM though, as it was the one I had already downloaded.
Is the crDroid the one that you suggest?
Have you tried the Oreo one?
I want to thank you one more time for the help.
Greetings from Greece and Colombia.
xaacnz said:
Let's say you want flash https://forum.xda-developers.com/android/development/rom-crdroid-v3-8-5-redmi-5a-t3752066
1 download crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
2 extract boot.img from crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
3 patch the extracted boot.img just like what you did with twrp-3.2.1-0-riva.img
4 put the patched boot.img back in crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
5 flash the modified crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
Click to expand...
Click to collapse
I'm glad I was able to help.
I have used neither of them, so I can't speak for them.
Currently, I'm using a custom build ROM based on LineageOS 15.1
utumno00 said:
Success!!
I tried with Viper ROM though, as it was the one I had already downloaded.
Is the crDroid the one that you suggest?
Have you tried the Oreo one?
I want to thank you one more time for the help.
Greetings from Greece and Colombia.
Click to expand...
Click to collapse
Can you share your own rom base on LOS 15.1? Please
xaacnz said:
I'm glad I was able to help.
I have used neither of them, so I can't speak for them.
Currently, I'm using a custom build ROM based on LineageOS 15.1
Click to expand...
Click to collapse
It's has some custom modifications like swapping back & recent app buttons as I'm left handed, I will try to build a more generic one once I get some free time.
boyrobbie said:
Can you share your own rom base on LOS 15.1? Please
Click to expand...
Click to collapse
@xaacnz
That's a very informative post :good:
Perhaps you can dump the firmware related partitions before and after unlocking the bootloader 'officially', so that it can be easier for us to find (possible) ways to unlock (not bypass) devices based on Xiaomi's implementation of Qualcomm LK.
I'm tagging @osm0sis to take part in the discussion.
xaacnz said:
It's has some custom modifications like swapping back & recent app buttons as I'm left handed, I will try to build a more generic one once I get some free time.
Click to expand...
Click to collapse
Thanks for your kindness, i'm waiting for that
Titokhan said:
@xaacnz
That's a very informative post :good:
Perhaps you can dump the firmware related partitions before and after unlocking the bootloader 'officially', so that it can be easier for us to find (possible) ways to unlock (not bypass) devices based on Xiaomi's implementation of Qualcomm LK.
I'm tagging @osm0sis to take part in the discussion.
Click to expand...
Click to collapse
All stages of bootloader except PBL can be found in fastboot ROM, and PBL can be obtained by using testpoint: https://alephsecurity.com/2018/01/22/qualcomm-edl-1/
The 'official' unlocking process is:
1 submit cpuid which is eFused in soc to Xiaomi.
2 Xiaomi sign the cpuid with it's private RSA key.
3 write the signature to 'devinfo' partition at offset 0xE4.
The verification process is:
1 read the signature from 'devinfo' partition.
2 verify it using public key embedded in aboot.
3 decode the verification result as base64.
4 compare the decoded value with cpuid read from soc, bootloader is unlocked if it's the same.
There are some bugs in verification process:
1 signature is padded using PKCS #1 v1.5, but verification process didn't check plaintext size, thus any plaintext starts with desired prefix will unlock bootloader, effectively reducing the complexity of brute force.
2 any value outside of base64's 64 characters table is treated as 'A', this reduce brute force complexity further.
3 base64 decode will not terminate until '=' is encountered, this create opportunity for buffer overrun, though input(RSA verification result) is hard to control.
4 base64 decode is skipped if first byte of PKCS #1 v1.5 payload is zero, this resulting in comparison of uninitialized stack value to cpuid and maybe exploitable to unlock phone.
I'm shocked that one can write so many bugs in such short function.
xaacnz said:
I'm glad I was able to help.
I have used neither of them, so I can't speak for them.
Currently, I'm using a custom build ROM based on LineageOS 15.1
Click to expand...
Click to collapse
Bro! we have been using the build you uploaded on android file host on may 16 2018. The build you uploaded has all bugs fixed in lineage OS 15.1. Some developers of Redmi 5a(RIVA) has been trying to contact you. They need the source of your ROM and kernel you uploaded on 16 may. Please reply.
xaacnz said:
I'm glad I was able to help.
I have used neither of them, so I can't speak for them.
Currently, I'm using a custom build ROM based on LineageOS 15.1
Click to expand...
Click to collapse
Would you mind sharing your device and kernel sources which you are using? We all have issues with audio which are related to kernel.
It would be great for development on Redmi 5A in general if you could share your sources with the community.
If you don't want to share them for any reason, you could maybe help us fixing the speaker bug on our sources: https://github.com/redmidevs/android_kernel_xiaomi_msm8917
boyrobbie said:
Can you share your own rom base on LOS 15.1? Please
Click to expand...
Click to collapse
LordShenron said:
Bro! we have been using the build you uploaded on android file host on may 16 2018. The build you uploaded has all bugs fixed in lineage OS 15.1. Some developers of Redmi 5a(RIVA) has been trying to contact you. They need the source of your ROM and kernel you uploaded on 16 may. Please reply.
Click to expand...
Click to collapse
33bca said:
Would you mind sharing your device and kernel sources which you are using? We all have issues with audio which are related to kernel.
It would be great for development on Redmi 5A in general if you could share your sources with the community.
If you don't want to share them for any reason, you could maybe help us fixing the speaker bug on our sources: https://github.com/redmidevs/android_kernel_xiaomi_msm8917
Click to expand...
Click to collapse
Here it is: lineage-15.1-20180515-UNOFFICIAL-riva.zip
Kernel source: https://github.com/xaacnz/android_kernel_xiaomi_msm8917
I tried to post this ROM on https://forum.xda-developers.com/xiaomi-redmi-5a/development , but my account don't have permission to do that, so I have to post it here in case anyone is interested.
xaacnz said:
Here it is: lineage-15.1-20180515-UNOFFICIAL-riva.zip
Kernel source: https://github.com/xaacnz/android_kernel_xiaomi_msm8917
I tried to post this ROM on https://forum.xda-developers.com/xiaomi-redmi-5a/development , but my account don't have permission to do that, so I have to post it here in case anyone is interested.
Click to expand...
Click to collapse
We have been trying to get around a bug in our builds. Your sources will be a great help for whole riva community Thank you so much.
Thanks
xaacnz said:
Here it is: lineage-15.1-20180515-UNOFFICIAL-riva.zip
Kernel source: https://github.com/xaacnz/android_kernel_xiaomi_msm8917
I tried to post this ROM on https://forum.xda-developers.com/xiaomi-redmi-5a/development , but my account don't have permission to do that, so I have to post it here in case anyone is interested.
Click to expand...
Click to collapse
Thanks again.
xaacnz said:
5 append a 4k block which begins with 0x30, 0x83, 0x19, 0x89, 0x64 to twrp-3.2.1-0-riva.img then put the resulting file to "tmp" and rename it to "recovery.img"
If you want flash custom ROM, you just need to append[NOTE1] boot.img
NOTE1: append should work in most case, but not always. the corrected place to write 0x30, 0x83, 0x19, 0x89, 0x64 is calculate from image header, it's defined as:
Code:
struct boot_img_hdr
{
unsigned char magic[BOOT_MAGIC_SIZE];
unsigned kernel_size; /* size in bytes */
unsigned kernel_addr; /* physical load addr */
unsigned ramdisk_size; /* size in bytes */
unsigned ramdisk_addr; /* physical load addr */
unsigned second_size; /* size in bytes */
unsigned second_addr; /* physical load addr */
unsigned tags_addr; /* physical addr for kernel tags */
unsigned page_size; /* flash page size we assume */
unsigned dt_size; /* device_tree in bytes */
unsigned unused; /* future expansion: should be 0 */
....
};
and then calculate:
Code:
if (hdr->page_size && (hdr->page_size != page_size)) {
page_size = hdr->page_size;
page_mask = page_size - 1;
}
kernel_actual = ROUND_TO_PAGE(hdr->kernel_size, page_mask);
ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
second_actual = ROUND_TO_PAGE(hdr->second_size, page_mask);
dt_size = hdr->dt_size;
dt_actual = ROUND_TO_PAGE(dt_size, page_mask);
imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual + dt_actual);
imagesize_actual is the place to write
NOTE2: There may be a easier way to enter EDL considering there are so many bug(eg. uninitialized stack variable, buffer overrun, missing bound check) in Xiaomi's modification, but I haven't bothered to check since my goal is achieved.
NOTE3: I suspect other model from Xiaomi may have similar bugs that bootloader lock can be bypassed using this method, but I don't have other phones to confirm my belief.
Click to expand...
Click to collapse
Hello!
I am not very familliar with programming or ROM development.
Could you please explain a bit more specific about NOTE1, how to append 4K block?
I don't quite understand where should I add it. At the beginning of the image, at the end or at the specific place in that file?
And 4k block means 4 kilobytes? Like 4096 bytes?
And if I need to flash custom room should I change something in xml files to? Or just append will be sufficient?
Please help, I need to flash that Riva finally!