Database Users

[REQ] Need a little help for porting my WM6 ROM on my MIO P550 / Airis T620

hello everybody
I'm a user of a mio p550. I'ma développor, and i want to port à wm6 rom for this pda, because there are many users of this pda, and i want to flash my pda on wm6 !
The mio p550 have three clones : the mio p350, the Aris T620, ans the Yakumo Delat X, so there are many many users of these pda, but no wm6 rom.
SO i have begun, but, it stay a little problem !
The only available flashable image is the "famous" "MioP550 - Osc260A R05_P09.nb0" file.
The header of it looks like:
Code:
00000000: 50 6f 63 6b 65 74 50 43 5f 32 30 30 35 00 00 00 PocketPC_2005...
00000010: 10 01 00 00 00 00 02 00 5a fc 35 00 00 00 00 00 ........Z.5.....
00000020: 4d 53 5f 49 50 4c 00 00 00 00 00 00 00 00 00 00 MS_IPL..........
00000030: 10 01 02 00 00 88 e9 01 70 1f ae 1c 00 00 00 00 ........p.......
00000040: 4f 53 5f 49 4d 41 47 45 00 00 00 00 00 00 00 00 OS_IMAGE........
00000050: 10 89 eb 01 00 00 02 00 de 1e f8 00 00 00 00 00 ................
00000060: 55 42 4f 4f 54 00 00 00 00 00 00 00 00 00 00 00 UBOOT...........
The structure is somewhat easy to see:
Code:
00000000: "Pocket_PC_2005" // some sort of signature. In UBOOT section I could find the very same string, so I'd assume the update loader checks it.
00000010: 10 01 00 00 // 4 bytes : offset of the 1st section -> 0x110
00 00 02 00 // 4 bytes : length of the 1st section -> 0x20000
5a fc 35 00 // 4 bytes : checksum -> 0x35fc5a
00 00 00 00 ...
00000020: "MS_IPL" // name/id of the 1st section
00000030: 10 01 02 00 // 4 bytes : offset of the 2nd section -> 0x20110
00 88 e9 01 // 4 bytes : length of the 2nd section -> 0x1e98800
70 1f ae 1c // 4 bytes : checksum -> 0x1cae1f70
00 00 00 00 ...
00000040: "OS_IMAGE" // name/id of the 2nd section
00000050: 10 89 eb 01 // 4 bytes : offset of the 3rd section -> 0x1eb8910
00 00 02 00 // 4 bytes : length of the 3rd section -> 0x20000
de 1e f8 00 // 4 bytes : checksum -> 0xf81ede
00 00 00 00 ...
00000060: "UBOOT" // name/id of the 3rd section
You can split the nb0 file into the corresponding parts based on the above informacion. Use your favourite hex editor, or write a script , or ... you can use dump from itsutils like below.
Code:
dump -o 0x110 -l 0x20000 "MioP550 - Osc260A R05_P09.nbh" MS_IPL.nb
dump -o 0x20110 -l 0x1e98800 "MioP550 - Osc260A R05_P09.nbh" OS_IMAGE.nb
dump -o 0x1eb8910 -l0x20000 "MioP550 - Osc260A R05_P09.nbh" BOOT.nb
The OS_IMAGE.nb file you get, can be used in most of the kitchens. The only special thing, that is has 512+8 (data+spare) bytes structure. Tadzio's imgfs tools can handle that. Below is some example output.
Code:
NBSplit.exe -data 512 -extra 8 OS_IMAGE.nb
NBSplit 2.1rc2
Using data chunk size = 0x200 and extra chunk size = 0x8
on file OS_IMAGE.nb
Done.
Code:
NBInfo.exe OS_IMAGE.nb.payload
NBInfo 2.1rc2
'OS_IMAGE.nb.payload' has valid boot sector
Partition table:
Partition 0
-----------
File System: 0x20 (boot)
Start Sector: 0x00000002
Total Sectors: 0x000008fe
Boot indicator: 0x00
First Head: 0x02
First Sector: 0x01
First Track: 0x00
Last Head: 0xff
Last Sector: 0x01
Last Track: 0x08
Partition 1
-----------
File System: 0x23 (XIP RAM)
Start Sector: 0x00000900
Total Sectors: 0x00000f00
Boot indicator: 0x00
First Head: 0x00
First Sector: 0x01
First Track: 0x09
Last Head: 0xff
Last Sector: 0x01
Last Track: 0x17
Partition 2
-----------
File System: 0x25 (imgfs)
Start Sector: 0x00001800
Total Sectors: 0x0000d500
Boot indicator: 0x00
First Head: 0x00
First Sector: 0x01
First Track: 0x18
Last Head: 0xff
Last Sector: 0x01
Last Track: 0xec
Partition 3
-----------
File System: 0x04 (FAT)
Start Sector: 0x0000ed00
Total Sectors: 0x003f0c00
Boot indicator: 0x00
First Head: 0x00
First Sector: 0x01
First Track: 0xed
Last Head: 0xff
Last Sector: 0x01
Last Track: 0x1f8
Geometry: flash has 256 virtual heads
MSFLSH50 header found at offset 0x200
(0 Reserved Entries, 3 Flash Region Entries)
Flash Region Entry 0:
---------------------
Region type: XIP
Start phys. block: 0x00000000
Size in phys. blocks: 0x00000000
Size in log. blocks: 0x00000018 -> Size in sectors: 0x00001800
Sectors per block: 0x00000100
Bytes per block: 0x00020000
Compact blocks: 0x00000000
-> Bytes per sector: 0x00000200
Flash Region Entry 1:
---------------------
Region type: READONLY_FILESYS
Start phys. block: 0x00000000
Size in phys. blocks: 0x00000000
Size in log. blocks: 0x000000d5 -> Size in sectors: 0x0000d500
Sectors per block: 0x00000100
Bytes per block: 0x00020000
Compact blocks: 0x00000002
-> Bytes per sector: 0x00000200
Flash Region Entry 2:
---------------------
Region type: FILESYS
Start phys. block: 0x00000000
Size in phys. blocks: 0x00000000
Size in log. blocks: 0xffffffff -> Size in sectors: 0xffffff00
Sectors per block: 0x00000100
Bytes per block: 0x00020000
Compact blocks: 0x00000002
-> Bytes per sector: 0x00000200
Searching for IMGFS signature...
Found IMGFS at byte 0x00340000 (sector 0x00001a00).
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: LZX
dwFreeSectorCount: 000135F5
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000
---
Now you can extract all parts. The SRXP compressed XIP part you need for cooking. You can use msflshtool to extract it, srpx2xip to decompress and dumprom to dump it. All these tools you can find in Scoter Kitchen. You can use Tadzio's imgfs tool to dump/modify/build the IMGFS part. You can collect the rest of the tools you need, depending on the modification you plan.
Based on the above header description, you can easily assemble a flashable image. The checksums are checked, but a wrong checksum does not prevent the flasing procedure . My today's finding : the checksum calculatin is rather easy, just create a 32 byte masked sum of all the bytes in the region in little endian format
I hope this helps for those interested in P550 ROM cooking.
-------
In addition, i possed a dump of a mio p560 rom ( which is the mio p550 with wm6),.
The 3 files here in the P560 dump correspond to Partition0/1/2 in that description. With a hexeditor you can fabricate an MBR and an MSFLSH50 header that corrensponds to P560 partition sizes and inject P560 raw files into the nb0 file and you can flash that. And there's a chance that you brick your device
I took a look at the part01.raw and what makes me sceptic, in OEM KERNEL package P560 uses a different flash driver than P550. So hw is not necessarily the same. And the above method without further cooking might not work smoothly.
Anyway as P560 is really close to P550 in hw, the above dump can be really useful in cooking a WM6 for P550. So I believe we would need help from an experience chef to proceed
So , i don't know how to do, but i want to adapt the rom !
Please, Please, Please, I need help
Is there any god who can help me !
Great thanks !!!!
Nixeus

175 view and no a little answer

Nixeus said:
175 view and no a little answer
Click to expand...
Click to collapse
Soory, but can't help you...
Maybe you should change te name of the topic, because it doesn't say anything about the real subject of the first post...
Hope someone will come by to help you...

Nixeus said:
175 view and no a little answer
Click to expand...
Click to collapse
Dear Nixeus, I agree with rvdgeer, I've been following this thread and waiting for a reply/solution all this time for my MIO P550, so please change the title of this thread to [REQ] or something very similar... Thanks.

I hope you'll find help, it would be awesome a wm6 or wm6.1 rom for my p350!

There are more and more person who wants wm6 or 6.1 for these pda, but no body help me......

I would like to help you, but the only thing I could do for you is an italian translation but i don't think it's gonna help..

I think it's not coming help here.. Are you keeping up the work?

Thanks all you had done for us! However, I am not a specialist on this. Can you please make a *.nb0 file using MioP560 with WM6 dump file? If it can be uploaded to rapidshare.com, it is easy to get it for us.
Thanks in advance.
Anson
Nixeus said:
hello everybody
I'm a user of a mio p550. I'ma développor, and i want to port à wm6 rom for this pda, because there are many users of this pda, and i want to flash my pda on wm6 !
The mio p550 have three clones : the mio p350, the Aris T620, ans the Yakumo Delat X, so there are many many users of these pda, but no wm6 rom.
SO i have begun, but, it stay a little problem !
The only available flashable image is the "famous" "MioP550 - Osc260A R05_P09.nb0" file.
The header of it looks like:
Code:
00000000: 50 6f 63 6b 65 74 50 43 5f 32 30 30 35 00 00 00 PocketPC_2005...
00000010: 10 01 00 00 00 00 02 00 5a fc 35 00 00 00 00 00 ........Z.5.....
00000020: 4d 53 5f 49 50 4c 00 00 00 00 00 00 00 00 00 00 MS_IPL..........
00000030: 10 01 02 00 00 88 e9 01 70 1f ae 1c 00 00 00 00 ........p.......
00000040: 4f 53 5f 49 4d 41 47 45 00 00 00 00 00 00 00 00 OS_IMAGE........
00000050: 10 89 eb 01 00 00 02 00 de 1e f8 00 00 00 00 00 ................
00000060: 55 42 4f 4f 54 00 00 00 00 00 00 00 00 00 00 00 UBOOT...........
The structure is somewhat easy to see:
Code:
00000000: "Pocket_PC_2005" // some sort of signature. In UBOOT section I could find the very same string, so I'd assume the update loader checks it.
00000010: 10 01 00 00 // 4 bytes : offset of the 1st section -> 0x110
00 00 02 00 // 4 bytes : length of the 1st section -> 0x20000
5a fc 35 00 // 4 bytes : checksum -> 0x35fc5a
00 00 00 00 ...
00000020: "MS_IPL" // name/id of the 1st section
00000030: 10 01 02 00 // 4 bytes : offset of the 2nd section -> 0x20110
00 88 e9 01 // 4 bytes : length of the 2nd section -> 0x1e98800
70 1f ae 1c // 4 bytes : checksum -> 0x1cae1f70
00 00 00 00 ...
00000040: "OS_IMAGE" // name/id of the 2nd section
00000050: 10 89 eb 01 // 4 bytes : offset of the 3rd section -> 0x1eb8910
00 00 02 00 // 4 bytes : length of the 3rd section -> 0x20000
de 1e f8 00 // 4 bytes : checksum -> 0xf81ede
00 00 00 00 ...
00000060: "UBOOT" // name/id of the 3rd section
You can split the nb0 file into the corresponding parts based on the above informacion. Use your favourite hex editor, or write a script , or ... you can use dump from itsutils like below.
Code:
dump -o 0x110 -l 0x20000 "MioP550 - Osc260A R05_P09.nbh" MS_IPL.nb
dump -o 0x20110 -l 0x1e98800 "MioP550 - Osc260A R05_P09.nbh" OS_IMAGE.nb
dump -o 0x1eb8910 -l0x20000 "MioP550 - Osc260A R05_P09.nbh" BOOT.nb
The OS_IMAGE.nb file you get, can be used in most of the kitchens. The only special thing, that is has 512+8 (data+spare) bytes structure. Tadzio's imgfs tools can handle that. Below is some example output.
Code:
NBSplit.exe -data 512 -extra 8 OS_IMAGE.nb
NBSplit 2.1rc2
Using data chunk size = 0x200 and extra chunk size = 0x8
on file OS_IMAGE.nb
Done.
Code:
NBInfo.exe OS_IMAGE.nb.payload
NBInfo 2.1rc2
'OS_IMAGE.nb.payload' has valid boot sector
Partition table:
Partition 0
-----------
File System: 0x20 (boot)
Start Sector: 0x00000002
Total Sectors: 0x000008fe
Boot indicator: 0x00
First Head: 0x02
First Sector: 0x01
First Track: 0x00
Last Head: 0xff
Last Sector: 0x01
Last Track: 0x08
Partition 1
-----------
File System: 0x23 (XIP RAM)
Start Sector: 0x00000900
Total Sectors: 0x00000f00
Boot indicator: 0x00
First Head: 0x00
First Sector: 0x01
First Track: 0x09
Last Head: 0xff
Last Sector: 0x01
Last Track: 0x17
Partition 2
-----------
File System: 0x25 (imgfs)
Start Sector: 0x00001800
Total Sectors: 0x0000d500
Boot indicator: 0x00
First Head: 0x00
First Sector: 0x01
First Track: 0x18
Last Head: 0xff
Last Sector: 0x01
Last Track: 0xec
Partition 3
-----------
File System: 0x04 (FAT)
Start Sector: 0x0000ed00
Total Sectors: 0x003f0c00
Boot indicator: 0x00
First Head: 0x00
First Sector: 0x01
First Track: 0xed
Last Head: 0xff
Last Sector: 0x01
Last Track: 0x1f8
Geometry: flash has 256 virtual heads
MSFLSH50 header found at offset 0x200
(0 Reserved Entries, 3 Flash Region Entries)
Flash Region Entry 0:
---------------------
Region type: XIP
Start phys. block: 0x00000000
Size in phys. blocks: 0x00000000
Size in log. blocks: 0x00000018 -> Size in sectors: 0x00001800
Sectors per block: 0x00000100
Bytes per block: 0x00020000
Compact blocks: 0x00000000
-> Bytes per sector: 0x00000200
Flash Region Entry 1:
---------------------
Region type: READONLY_FILESYS
Start phys. block: 0x00000000
Size in phys. blocks: 0x00000000
Size in log. blocks: 0x000000d5 -> Size in sectors: 0x0000d500
Sectors per block: 0x00000100
Bytes per block: 0x00020000
Compact blocks: 0x00000002
-> Bytes per sector: 0x00000200
Flash Region Entry 2:
---------------------
Region type: FILESYS
Start phys. block: 0x00000000
Size in phys. blocks: 0x00000000
Size in log. blocks: 0xffffffff -> Size in sectors: 0xffffff00
Sectors per block: 0x00000100
Bytes per block: 0x00020000
Compact blocks: 0x00000002
-> Bytes per sector: 0x00000200
Searching for IMGFS signature...
Found IMGFS at byte 0x00340000 (sector 0x00001a00).
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: LZX
dwFreeSectorCount: 000135F5
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000
---
Now you can extract all parts. The SRXP compressed XIP part you need for cooking. You can use msflshtool to extract it, srpx2xip to decompress and dumprom to dump it. All these tools you can find in Scoter Kitchen. You can use Tadzio's imgfs tool to dump/modify/build the IMGFS part. You can collect the rest of the tools you need, depending on the modification you plan.
Based on the above header description, you can easily assemble a flashable image. The checksums are checked, but a wrong checksum does not prevent the flasing procedure . My today's finding : the checksum calculatin is rather easy, just create a 32 byte masked sum of all the bytes in the region in little endian format
I hope this helps for those interested in P550 ROM cooking.
-------
In addition, i possed a dump of a mio p560 rom ( which is the mio p550 with wm6),.
The 3 files here in the P560 dump correspond to Partition0/1/2 in that description. With a hexeditor you can fabricate an MBR and an MSFLSH50 header that corrensponds to P560 partition sizes and inject P560 raw files into the nb0 file and you can flash that. And there's a chance that you brick your device
I took a look at the part01.raw and what makes me sceptic, in OEM KERNEL package P560 uses a different flash driver than P550. So hw is not necessarily the same. And the above method without further cooking might not work smoothly.
Anyway as P560 is really close to P550 in hw, the above dump can be really useful in cooking a WM6 for P550. So I believe we would need help from an experience chef to proceed
So , i don't know how to do, but i want to adapt the rom !
Please, Please, Please, I need help
Is there any god who can help me !
Great thanks !!!!
Nixeus
Click to expand...
Click to collapse

hi
how could i use the 3 raw files of p560 rom to restore seflash my p560?
thanks

please
please please please teach me how to make MBR and an MSFLSH50 header.
I own an p560 but in an atempt to dump rom it was broken, i d/ont know why but at the restart after mio logo and at the expected windows screen the lcd remain white and that is all, nothing happen after...

Here is a solution in order to maker a wm6 rom for our mio p550 / Airis T620 !
Thanks to ASAM !!
http://www.miousers.co.uk/viewtopic.php?t=4068

[Heimdall] Repartitioning Problem. C++ Developers required. Offering UnBrickable Mod.

I'm here to recruit help from XDA-Developers for open-source development. I can offer UnBrickable Mod to any Developer who thinks they can help with this C++ issue. This will allow you to play with Loki (the device's side of Odin/Heimdall) and not worry about it.
The only thing keeping the Linux and Mac platforms from being better then Windows at developing ROMs and other firmware is Heimdall's ability to repartition. Once this barrier is broken down, we will have an entire open source chain for developing and Linux will be the premeire platform for developing on Samsung devices. There will be no reason to use Closed Source Windows, Odin, or Samsung Drivers... This is the last barrier.
I am offering debug logs which show the UART output during the flashing of Heimdall and Odin.
here are Heimdall logs/uart logs: http://pastebin.com/srhG7yJA
here are Odin Uart Logs: http://pastebin.com/AiKspmxR UART coming soon.
Here are both Heimdall and Odin USB logs via Wireshark.
http://www.mediafire.com/file/2wccdcuf87q2i3l/odinheimdallUSBLog.zip
Benjamin Dobell has set up code for Heimdall here: https://github.com/Benjamin-Dobell/Heimdall/
This is not a bounty thread. It is an open source development/improvement thread. I have spoken to Benjamin Dobell, the creator of Heimdall, and he is too busy with a new job and working loads of overtime hours. He has approved of this action. Fixing this issue with Heimdall will allow the entire Samsung community to utilize Heimdall as a total replacement for Odin on all platforms.
What's my role/interest in this? I want Linux to be as good or better then Windows.. I'm an Open Source guy. I'm also not good at C++ programming language. I understand the headers, but not the CPP files. I can provide debugging and beta testing though. I've created the cross-platform Heimdall One-Click . I brought UnBrickable Mod to the Captivate and the only thing left in the entire open-source chain of software from complete destruction of data on the device to completely stock is getting Heimdall to repartition.
Once this final hurdle in Heimdall is completed, we've got a full open-source stack of cross-platform, community-based software by XDA-Developers for XDA-Developers and users. Open-Source software will be able to provide more then closed source software, and once again XDA-Developers will prove that we can do things better then the Manufacturers.

There is an issue tracking system here: https://github.com/Benjamin-Dobell/Heimdall/issues
I believe the underlying cause of all 3 of the existing issues in the Heimdall Repostiory lies with Heimdall's ability to repartition.
issue 21: "Failed to confirm end of file transfer sequence!" signifies that the information sent overran the partition area and therefore it never responded that the end was confirmed.
Issue 19: "Could not find end of file or end of file transfer, something similar." Likely the same as issue 21.
Issue 14: "Expected file part index" again, dealing with partition tables. "ERROR: Expected file part index: 0 Received: 1"
I believe all three of these issues could be worked into a single "Heimdall Repartitioning" issue for the reasons stated above.

I got some experience in C++ and Java...
once I get home ill take a look at the heimdall source, and give it a shot.

Smasher816 said:
I got some experience in C++ and Java...
once I get home ill take a look at the heimdall source, and give it a shot.
Click to expand...
Click to collapse
Hey great.. I have a special test setup with UART output.
First I totally thrashed my partition table by uploading the Bada OS SBL.. This SBL rewites partition tables. Then I used the HIBL to unbrick my phone and load a proper SBL. This is the UART during booting up to "Download Mode".
Code:
-------------------------------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
-------------------------------------------------------------
Calling IBL Stage2 ...OK
Testing DRAM1 ...OK
iRAM reinit ...OK
cleaning OTG context ...OK
Chain of Trust has been successfully compromised.
Begin unsecure download now...
0x00000000BL3 EP: 0x40244000
Download complete, hold download mode key combination.
Starting BL3 in...
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Modified by Rebell
Build On: Jun 8 2011 21:44:47
-----------------------------------------------------------
Re_partition: magic code(0xffffffff)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 7
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : *unknown id* (0x9)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : *unknown id* (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 7
===============================
ID : *unknown id* (0x1)
ATTR : RW SLC (0x1001)
FIRST_UNIT : 8
NO_UNITS : 796
===============================
ID : *unknown id* (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 804
NO_UNITS : 716
===============================
ID : *unknown id* (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1520
NO_UNITS : 372
===============================
ID : *unknown id* (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1892
NO_UNITS : 56
===============================
ID : *unknown id* (0x18)
ATTR : RW SLC (0x1001)
FIRST_UNIT : 1948
NO_UNITS : 56
===============================
FlashDevOpen 232: Error(nErr=0x80000002)
j4fs_open 136: Error(nErr=0x40000000)
loke_init: j4fs_open failed..
init_fuel_gauge: vcell = 4051mV, soc = 82
check_quick_start_condition_with_charger- Voltage: 4051.25000, Linearized[55/70/85], Capacity: 85
init_fuel_gauge: vcell = 4051mV, soc = 82, rcomp = d01f
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xffffffff,0x80040001)
nps status file does not exist..
nps status is incorrect!! set default status.(completed)
nps status=0x504d4f43
PMIC_IRQ1 = 0x3c
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0x40
PMIC_STATUS2 = 0x2c
get_debug_level current debug level is 0x0.
get_debug_level current debug level is 0x0.
get_debug_level current debug level is 0x0.
aries_process_platform: Debug Level Invalid
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xffffffff,0x80040001)
nps status file does not exist..
nps status is incorrect!! set default status.(completed)
nps status=0x504d4f43
==> Welcome to ARIES!
==> Entering usb download mode..
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Error : Current Mode is Host
EP2: 0, 2, 0; len=7
EP2: 0, 2, 0; len=7
sug: IN EP asserted
I gave the command in Heimdall to repartition and flash the boot.bin to partition 1.
Code:
heimdall flash --repartition --pit ./part.pit --1 ./boot.bin
At this point it should have downloaded the partition, saved it, and then heimdall should request the partition back and use that as its guide.
The boot.bin is only 1 block long so this log is short.
Code:
- Odin is connected!
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xffffffff,0x80040001)
j4fs_write_file_bootloader 192: Error(nErr=0x40000000)
process_packet: request id(100), data id(0)
process_rqt_init: platform number(0x0), revision(0x0)
process_packet: request id(100), data id(1)
process_packet: request id(100), data id(2)
process_packet: request id(103), data id(0)
process_rqt_close: xmit completed!
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xffffffff,0x80040001)
j4fs_write_file_bootloader 192: Error(nErr=0x40000000)
process_packet: request id(103), data id(1)
process_rqt_close: target reset!
ARIES MAGIC_ADDR=0x0 / INFORM5=0x12345678
and this is the log from Heimdall
Code:
Initialising connection...
Detecting device...
Claiming interface...
Attempt failed. Detaching driver...
Claiming interface again...
Setting up interface...
Beginning session...
Handshaking with Loke...
Ending session...
Rebooting device...
Re-attaching kernel driver...
At this point the device "resets" and attempts to boot from the bootloader.
If you need any testing let me know. I can compile source, I can get UART logs. I can repartition the heck out of this device as it is UnBrickable and my test phone.

I believe the device uses the SBL> prompt when it is in download mode.. You can see from this UART log that the device attempted to "saveenv" but it could not. http://code.google.com/p/badadroid/...ompare_logs/SBL_mode_help.txt?spec=svn61&r=57
It also returned the same "FlashDevRead 63 error)
The final action the device needs to do is "savepart" if the partition tables were saved after the pit were uploaded then it would be good to go. There are several other commands as well.. "addpart" and "removepart".. If it comes to using this, let me know. I've worked with Benjamin Dobell's libpit before and I can help out greatly with repartitioning as I've worked extensively in the SBL prompt.
I'm not sure how the Download Mode works exactly, but if it uses the SBL prompt, then I can write pseudocode of how it should work.

This probably isn't going to help much, but it may be a start.
I figured the best way to solve this would be to find the differences between a successful Odin flash and an unsuccessful Heimdall flash. So I delved right in to the wireshark dumps. It seems likely that Heimdall is missing a step.
I do not understand the protocol (yet), but I can see the raw data in the stream. In the Heimdall process, there is some protocol traffic, then the entire PIT file is sent, then some more protocol traffic, then the kernel data is sent. But in the Odin process, there is some protocol traffic, then the entire PIT file is sent, then some more protocol traffic, then the PIT file is sent again in 512 byte chunks, then some protocol traffic (more than usual), and then the kernel data is sent.
At the moment, I can't be sure if this is functionally equivalent or not. I'll need to do quite a bit of deciphering on the protocol to get up to speed on what's really going on. Unfortunately, this is the sort of thing that's easiest if one can watch the action in real time, but as I only have my one phone that I need for work, that's not really an option for me at this time.
Hopefully, I'll return with more info after I've absorbed the communication layer details to see what the non-data chatter actually is.

Could that extra protocol data possibly be Odin commanding delete partitions and add partitions? I'm hypothesizing... nothing more. I see some similarities to the UART logs during SBL> prompt and Odin, so I'm thinking that maybe the SBL prompt is used, or at least some of the methods... In this thread you can see all of the SBL commands http://forum.xda-developers.com/showthread.php?t=1209288
Sure it's from an Infuse, but they're all based on i9000 which is like the mother of our entire generation of devices. The SBLs are interchangeable with different entry points for each "version".

AdamOutler said:
Could that extra protocol data possibly be Odin commanding delete partitions and add partitions? I'm hypothesizing... nothing more. I see some similarities to the UART logs during SBL> prompt and Odin, so I'm thinking that maybe the SBL prompt is used, or at least some of the methods... In this thread you can see all of the SBL commands http://forum.xda-developers.com/showthread.php?t=1209288
Sure it's from an Infuse, but they're all based on i9000 which is like the mother of our entire generation of devices. The SBLs are interchangeable with different entry points for each "version".
Click to expand...
Click to collapse
I have a feeling that it is using the SBL prompt somehow after the flash because everything else seems pretty much identical (besides the timing). If anyone needs to understand the protocol then I recommend just looking at Heimdall's source code, in particular the packet header files store all the constants that are sent and received over USB.

Found the problem - the End Transfer packet is missing. There is also some additional strangeness, though.
Heimdall:
Packet 1: 65 00 00 00 (Init pit transfer)
Packet 2: 65 00 00 00 02 00 00 00 D0 06 00 00 (Want to send 1744 bytes)
Packet 3: [full contents of pit]
Packet 4: 66 00 00 00 (Init file transfer - probably starting the kernel send)​
Odin:
Packet 1: 65 00 00 00 (Init pit transfer)
Packet 2: 65 00 00 00 02 00 00 00 D0 06 00 00 (Want to send 1744 bytes)
Packet 3: [full contents of pit]
Packet 4: 65 00 00 00 03 00 00 00 D0 06 00 00 (Finished sending 1744 bytes)​
The odd part is what odin does next, after the "finished sending":
Packet 5: 65 00 00 00 01 00 00 00 (Dump pit file)
Packet 6: 65 00 00 00 02 00 00 00 00 00 00 00 (Sending chunk 0)
Packet 7: [first 512 bytes of pit]
Packet 8: 65 00 00 00 02 00 00 00 01 00 00 00 (Sending chunk 1)
Packet 9: [next 512 bytes of pit]
Packet 10: 65 00 00 00 02 00 00 00 02 00 00 00 (Sending chunk 2)
Packet 11: [next 512 bytes of pit]
Packet 12: 65 00 00 00 02 00 00 00 03 00 00 00 (Sending chunk 3)
Packet 13: [next 512 bytes of pit]
- repeat for 8 chunks - data past the end of the actual pit file is sent as zeroes -
Packet 22: 65 00 00 00 03 00 00 00 (Done)
Packet 23: 66 00 00 00 (Init file transfer - probably kernel)​
I couldn't begin to tell you why any of this exists at all, but my strong suspicion is that duplicating the Odin behavior will make Heimdall work properly.

So, Adam, the first thing I would try would be to simply add the "finished sending" packet. Try recompiling with this replacement for BridgeManager.cpp and this additional file EndPitFilePacket.h in the project.

psych0phobia said:
So, Adam, the first thing I would try would be to simply add the "finished sending" packet. Try recompiling with this replacement for BridgeManager.cpp and this additional file EndPitFilePacket.h in the project.
Click to expand...
Click to collapse
That did it! Problem solved!
1.I uploaded the Bada bootloaders to my device in order to totally destroy my partition tables.
2.I tried to flash with heimdall 1.3 and it did not work to restore
3.I compiled and installed the new 1.3modified version
4.I flashed with heimdall 1.3modified and it worked
to be sure I repeated the Bada bootloaders once again. The only thing wrong with my device now is that it has no /efs/ partition... which is understandable because bada turned the OneNAND into it's *****.
Great job psych0phobia If you need anything from me just let me know. I mean anything ...
Let me know when you can spare your device so I can modify it. Please push this change upstream.

Here's the UART log
Code:
[���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Uart negotiation Error
-------------------------------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
-------------------------------------------------------------
Calling IBL Stage2 ...OK
Testing DRAM1 ...OK
iRAM reinit ...OK
cleaning OTG context ...OK
Chain of Trust has been successfully compromised.
Begin unsecure download now...
0x00000000BL3 EP: 0x40244000
Download complete, hold download mode key combination.
Starting BL3 in...
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Modified by Rebell
Build On: Jun 8 2011 21:44:47
-----------------------------------------------------------
Re_partition: magic code(0x0)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : IBL+PBL (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : PIT (0x1)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 1
===============================
ID : EFS (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 2
NO_UNITS : 40
===============================
ID : SBL (0x3)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 42
NO_UNITS : 5
===============================
ID : SBL2 (0x4)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 47
NO_UNITS : 5
===============================
ID : PARAM (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 52
NO_UNITS : 20
===============================
ID : KERNEL (0x6)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 72
NO_UNITS : 30
===============================
ID : RECOVERY (0x7)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 102
NO_UNITS : 30
===============================
ID : FACTORYFS (0x16)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 132
NO_UNITS : 1146
===============================
ID : DBDATAFS (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1278
NO_UNITS : 536
===============================
ID : CACHE (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1814
NO_UNITS : 140
===============================
ID : MODEM (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1954
NO_UNITS : 50
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 4192mV, soc = 90
check_quick_start_condition_with_charger- Voltage: 4192.50000, Linearized[77/92/100], Capacity: 94
init_fuel_gauge: vcell = 4192mV, soc = 90, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1 = 0x28
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0x40
PMIC_STATUS2 = 0x2c
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48
reading nps status file is successfully!.
nps status=0x504d4f43
==> Welcome to ARIES!
==> Entering usb download mode..
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Error : Current Mode is Host
EP2: 0, 2, 0; len=7
EP2: 0, 2, 0; len=7
sug: IN EP asserted
- Odin is connected!
set_nps_update_start: set nps start flag successfully.
process_packet: request id(100), data id(0)
process_rqt_init: platform number(0x0), revision(0x0)
process_packet: request id(100), data id(1)
process_packet: request id(100), data id(2)
process_packet: request id(101), data id(0)
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(3)
[FNW: ] STL read to partition ID: 20
Done.
read 25 units.
partition_backup: efs. meta data=3(units), real size=6553600
.....Done.
read 5 units.
partition_backup: sbl. buf=0x46e00000, size=1310720(bytes)
.....Done.
read 5 units.
partition_backup: sbl2. buf=0x46f40000, size=1310720(bytes)
fsr_bml_format_device start
set_dynamic_partition: pit magic code=0x12349876
bbm format success
bbm_erase_all: step 1. Start unit=1, End unit=2.
.
bbm_erase_all: step 1. Start unit=52, End unit=2004.
..............................................................................................................................................................................................................................................
bbm eraseall success.
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
Erasing: 1 to 2
.
bbm erase part success
.Done.
Written 1 units.
current percent: 0 (1/1110)
board partition information update.. source: 0x403ee838
Erasing: 2 to 42
........................................
bbm erase part success
[FNW: ] STL formatted (partition ID: 20)
[FNW:INF] nVol : 0, partition_id : 20, stSTLInfo.nTotalLogScts : 12800, buf :0x46400000
TotalLogSct : 12800, size : 6553600
Done.
Written 25 units.
current percent: 2 (26/1110)
Erasing: 42 to 47
.....
bbm erase part success
.....Done.
Written 5 units.
current percent: 2 (31/1110)
Erasing: 47 to 52
.....
bbm erase part success
.....Done.
Written 5 units.
current percent: 3 (36/1110)
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(5445016), id(6), final(1)
Save Image (KERNEL) to flash ......
Erasing: 72 to 102
..............................
bbm erase part success
.....................Done.
Written 21 units.
current percent: 5 (57/1110)
current write_count=1
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(12582912), efs_clear(0), boot_update(0), final(1)
xmit_complete_phone: cp partition found!(11)
Save Image (MODEM) to flash ......
Erasing: 1954 to 2004
..................................................
bbm erase part success
................................................Done.
Written 48 units.
current percent: 9 (105/1110)
current write_count=1
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(104857600), id(22), final(0)
Save Image (FACTORYFS) to flash ......
Erasing: 132 to 1278
..............................................................................................................................................................................................................................................
bbm erase part success
[FNW: ] STL formatted (partition ID: 22)
[FNW:INF] nVol : 0, partition_id : 22, stSTLInfo.nTotalLogScts : 569344, buf :0x46400000
TotalLogSct : 204800, size : 104857600
Done.
Written 394 units.
current percent: 45 (505/1110)
current write_count=1
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(104857600), id(22), final(0)
Save Image (FACTORYFS) to flash ......
[FNW:INF] nVol : 0, partition_id : 22, stSTLInfo.nTotalLogScts : 569344, buf :0x46400000
TotalLogSct : 204800, size : 104857600
Done.
Written 394 units.
current percent: 81 (905/1110)
current write_count=2
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(58163200), id(22), final(1)
Save Image (FACTORYFS) to flash ......
[FNW:INF] nVol : 0, partition_id : 22, stSTLInfo.nTotalLogScts : 569344, buf :0x46400000
TotalLogSct : 113600, size : 58163200
Done.
Written 219 units.
current percent: 101 (1127/1110)
current write_count=3
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(1376256), id(23), final(1)
Save Image (DBDATAFS) to flash ......
Erasing: 1278 to 1814
..............................................................................................................................................................................................................................................
bbm erase part success
[FNW: ] STL formatted (partition ID: 23)
[FNW:INF] nVol : 0, partition_id : 23, stSTLInfo.nTotalLogScts : 263168, buf :0x46400000
TotalLogSct : 2688, size : 1376256
Done.
Written 6 units.
current percent: 102 (1133/1110)
current write_count=1
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(1245184), id(24), final(1)
Save Image (CACHE) to flash ......
Erasing: 1814 to 1954
............................................................................................................................................
bbm erase part success
[FNW: ] STL formatted (partition ID: 24)
[FNW:INF] nVol : 0, partition_id : 24, stSTLInfo.nTotalLogScts : 64000, buf :0x46400000
TotalLogSct : 2432, size : 1245184
Done.
Written 5 units.
current percent: 102 (1138/1110)
current write_count=1
save param.blk, size: 5268
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xfffff,0x80040001)
j4fs_write_file_bootloader 192: Error(nErr=0x40000000)
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(262144), id(0), final(1)
Save Image (IBL+PBL) to flash ......
binary version: EVT1.
boot.bin is the one-binary.
relocate & fusing continue..
completed.
Erasing: 0 to 1
.
bbm erase part success
.Done.
Written 1 units.
current percent: 102 (1139/1110)
current write_count=1
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(1310720), id(3), final(1)
Save Image (SBL) to flash ......
=== SBL signature information ===
File Size : 677052
=================================
read part info
id = 0x3
attr = 0x1002
first unin = 0x2a
number units = 0x5
pages per unit = 0x40
n1st page = 0xa80, page offset = 0x13f, len = 0x48
read part info
id = 0x4
attr = 0x1002
first unin = 0x2f
number units = 0x5
pages per unit = 0x40
n1st page = 0xbc0, page offset = 0x13f, len = 0x48
Found bootable SBL ID: 4
save SBL partition id: 3
Erasing: 42 to 47
.....
bbm erase part success
.....Done.
Written 5 units.
current percent: 103 (1144/1110)
current write_count=1
save sbl id: 3 / erase sbl id: 4
.
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(872448), id(21), final(1)
Save Image (PARAM) to flash ......
FlashDevClose 262: Error(nErr=0x80040001)
Erasing: 52 to 72
....................
bbm erase part success
[FNW: ] STL formatted (partition ID: 21)
[FNW:INF] nVol : 0, partition_id : 21, stSTLInfo.nTotalLogScts : 2560, buf :0x46400000
TotalLogSct : 1704, size : 872448
Done.
Written 4 units.
current percent: 103 (1148/1110)
current write_count=1
set_nps_update_start: set nps start flag successfully.
process_packet: request id(103), data id(0)
process_rqt_close: xmit completed!
set_nps_update_completed: set nps completed flag successfully.
process_packet: request id(103), data id(1)
process_rqt_close: target reset!
ARIES MAGIC_ADDR=0x0 / INFORM5=0x12345678
1
-----------------------------------------------------------
Samsung Primitive Bootloader (PBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------
+n1stVPN 2688
+nPgsPerBlk 64
PBL found bootable SBL: Partition(3).
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Board Name: ARIES REV 03
Build On: Jun 8 2011 21:44:47
-----------------------------------------------------------
Re_partition: magic code(0x0)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
......... everything after this is standard data... just included this far to show it booted.
Everything worked..
Would you like WireShark to verify things?
As far as logging, the only thing I could see is this:
Code:
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xfffff,0x80040001)
j4fs_write_file_bootloader 192: Error(nErr=0x40000000)
which means it tried to read some garbage from the OneNAND and failed.

AdamOutler said:
That did it! Problem solved!
1.I uploaded the Bada bootloaders to my device in order to totally destroy my partition tables.
2.I tried to flash with heimdall 1.3 and it did not work to restore
3.I compiled and installed the new 1.3modified version
4.I flashed with heimdall 1.3modified and it worked
to be sure I repeated the Bada bootloaders once again. The only thing wrong with my device now is that it has no /efs/ partition... which is understandable because bada turned the OneNAND into it's *****.
Great job psych0phobia If you need anything from me just let me know. I mean anything ...
Let me know when you can spare your device so I can modify it. Please push this change upstream.
Click to expand...
Click to collapse
Yay for a properly working Heimdall! Once this fix gets officially implemented I'll update my Heimdall =D
How much do you charge to make the Captivate Unbrickable? X3

I have a darn huge iq... Classified as genius level... Yet, try as I might, cannot make head or tail of Adams post...
Sent from my cell phone. DUH.

psycho2097 said:
I have a darn huge iq... Classified as genius level... Yet, try as I might, cannot make head or tail of Adams post...
Sent from my cell phone. DUH.
Click to expand...
Click to collapse
Don't give me credit... this is the real genius here...
psych0phobia said:
So, Adam, the first thing I would try would be to simply add the "finished sending" packet. Try recompiling with this replacement for BridgeManager.cpp and this additional file EndPitFilePacket.h in the project.
Click to expand...
Click to collapse
Basically, heimdall could not repartition the OneNAND. I identifed the problem, provided detailed debug level information and asked for help. psych0phobia looked at the Odin/Loki protocol, learned it, found the differences between Odin and Heimdall based on the output of both programs and then wrote the fix. Make sure you thank him. Thank Benjamin Dobell as well, he wrote Heimdall in the first place.
now... if you want to compile it under Linux... open a terminal and copy-pasta.
Code:
sudo apt-get install build-essential curl git
mkdir heimdall
cd heimdall
git clone https://github.com/Benjamin-Dobell/Heimdall.git
cd Heimdall/heimdall
curl http://android.merseine.us/BridgeManager.cpp> ./BridgeManger.cpp
curl http://android.merseine.us/EndPitFilePacket.h >./EndPitFilePacket.h
cd ..
cd ..
cd libpit
./configure
make
cd ..
cd heimdall
./configure
make
sudo make install
This will give Heimdall the ability to fully recover a bad partition table.
NOTE: This should only be used until a version greater then Heimdall 1.3.0 is released.

Yea, kinda got that part.... So my understanding would be now we can successfully flash nexus s. Firmware without screwing everything up... Right? In layman-geek's terms, not super-duper-mega-geek terms....
Sent from my cell phone. DUH.

psycho2097 said:
Yea, kinda got that part.... So my understanding would be now we can successfully flash nexus s. Firmware without screwing everything up... Right? In layman-geek's terms, not super-duper-mega-geek terms....
Sent from my cell phone. DUH.
Click to expand...
Click to collapse
I wont say anything about nexus s just yet... We have a 100% open-source, DIY, and free method of restoring a device to stock. Linux, UnBrickable Mod and heimdall.

In other words....
In yo face jtag

whiteguypl said:
In other words....
In yo face jtag
Click to expand...
Click to collapse
Hell yeah! 3 cheers 4 the unbrickable mod!
Sent from my cell phone. DUH.

Just thought I should let you guys know that I've pushed the source for the 1.3.1 updates to Github and it includes a fix, thanks psych0phobia! 1.3.1 also includes substantially improved no-reboot functionality that allows Heimdall to detect and use an existing session (i.e. previous operation with the --no-reboot parameter). Basically this means that you can do things like dump your PIT and then flash your phone without rebooting in between.
I should note that I kind of forgot to update the make files So it won't actually build on Linux/OS X until I do that when I get home (at work now). Windows users can give it whirl though.

Nexus 7 APX Ubuntu Gentoo(uclibc/dietlibc) TWRP bricked sbk sbcheck sbdetect

Reflashing Nexus 7 in APX mode, Ubuntu, Gentoo(uclibc/dietlibc), TWRP, hard bricked , sbkdetect , sbkcheck , sbk key
At the begining it was a word and the word was 2 bytes and half-nibble.
I have
Nexus 7 (bootloader unlocked), TWRP installed, and Ubuntu installed with
fastboot erase boot
fastboot flash boot raring-preinstalled-desktop-armhf+nexus7.bootimg
fastboot erase userdata
fastboot flash userdata raring-preinstalled-desktop-armhf+nexus7.img
fastboot reboot
At the beginning it was fully operational ubuntu.
I wanted to compile gentoo with optimized flags and libs - uclibc/dietlibc and to compare benchmarks with ubuntu and android.
Before experimenting I maked full backup of all partitions.
dd if=/dev/mmcblk0p1 bs=8M | nc -l -p 777
and from computer nc 192.168.0.4 777 > p1
I did the same command for p2, p3, p4, p5, p6, p7, p8, p9, boot1, boot0.
And I backuped /dev/mmcblk0 , which contained all those partitions.
I wanted to understand how it structured on the tablet.
In the process of experimenting first sectors from 0 to 64 was zeroed.
I tried to restore the device in APX mode.
Info about device:
On the box:
Nexus7 ASUS 1B/T30L/16/1G/V , CSSN:015d3248bb080218, SN:CBOKBC595625
Model ME370T , Made in China
[greped from dmesg]
Tegra Revision: A03 SKU: 0x83 CPU Process: 2 Core Process: 0
I checked most of the messages from the forum related to reflashing and restoring
soft/hard bricked tablets.
I tried to restore the device with sdk for Tegra3(for Nexus7) from developer site - developer.nvidia.com.
I registered and got SDK - Tegra Android DEveloper Pack 2.0 for windows. Then I tried to run it.
Several big files was created (there are look like files in nakasi-xxx-firmare-xxx) ,
and process stoped at moment of flashing.
Then I tried to reflash the device under linux.
usb-device
T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 20 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0955 ProdID=7330 Rev=01.03
S: Manufacturer=NVIDIA Corp.
S: Product=APX
C: #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=32mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
The easiest way to prepare the device is running
"udevadm monitor" and pressing and holding the button/buttons until You'll see the message
"add" from udevadm.
I founded that the device in my situation, started with any of following combinations
PwrUp/PwrUp+Vol_+/PwrUp+Vol_.
You can check it with
usb-device | egrep "NVIDIA|APX"
I tried to run different nvflash programs and found working one:
Nvflash v1.8.90246 / 1197539 Bytes / md5sum
d0f1fdada0508d77906d89098ad60091 nvflash
I tried
nvflash --rawdevicewrite 0 64 0_64.dat --bl bl --go
to restore zeroed sectors. It not working without correct sbk key.
I sniffed usb data with wireshark for different sbk keys and found this:
Then device is powering
GET DESCRIPTOR / Data / A.P.X
GET DESCRIPTOR / Data / N v i d i a C o r p 0x2e 0x00
SET CONFIGURATION Request
SET CONFIGURATION Response
URB_BULK in
URB_BULK out / Leftover Capture Data / 180208bb48325d01 // this is CSSN from end to beginning
URB_BULK out / Leftover Capture Data / 1028 Bytes -- generated by nvflash using some func(CSSN)
0x04 0x04 0x00 0x00 and 16 bytes and rest is 0x00
URB_BULK in 0x04 0x00 0x00 0x00
URB_BULK out / Leftover Capture Data / 4096 Bytes
When I tried different sbk keys, I got different answers from the device - those 4096 bytes
of leftover_captured_data. I realized then after checking ONE wrong sbk key , I needed to reboot the device (power off/power on).
And I received next messages:
rcm version 0X4
Command send failed (usb write failed)
You can check URB status in wireshark after running nvflash.
If key is wrong , You'll get "Broken pipe" EPIPE.
I tried
nvflash --format_all --go
in the hope that I do not needed sbk key. In
www_patentmaps_com/topic/Handling_of_secure_storage_key_in_always_on_domain_1.html developers told that
In some cases You do not need to know sbk key for reflashing the device .
And I tried manual decryption
# trying to check if decryption is correct with some generated sbk keys
#
#0xF0D1E800 0x74DB0700 0x7C20E402 0x9839F903
openssl aes-128-cbc -K F0D1E80074DB07007C20E4029839F903 -iv 0 -d -in bct.enc -out bct.dcr -nopad
# incorrect sbk key 0xF0D1E80074DB07007C20E4029839F903
bct.dcr suppouse to look like bct structure
if You need to find more info about manual decryption check showthread.php?t=1698560
even if You have correct decrypted buffer and encrypted buffer , AES are not susceptible to
known-plaintext attacks.
Solution 0 ) Send it to ASUS (read the warranty before)
( in my case i still need that sbk key for deleveloping purpose and I hope
that key will be added to sdk)
Solution 1 ) The are couple of algorithms of generating sbk key from CSSN
usualy it a simple formula and we need to guess that constants
Solution 2 ) Reverse engineering of usb protocol.
Part of the code in the device, that responsible for usb protocol can be vulnerable.
ASUS BIOS developers is good, but a chance exist.
This is a new device on the market. My guess - that part of code can be common for
many models - they just recompile that for different models.
This joke for that developers:
If constructors will build the houses , like programers writing the
programs, then the first flying woodpecker will destroy the civilization.
For now, I am checking algorithms of generation of sbk key.
[ I still looking for any infos about generation sbk from CSSN ]
[ I trying to restore formula of generation sbk key from nvflash that I have ]
[ You can help me with posting every nvflash that you have ]
I tried sbkcheck but I get segmentation fault // solution - found the proper
libusb or better ask sbkcheck.c from author and recompile it.
if You can't get sbkcheck.c then analyze sbkcheck
readelf -a ./sbkcheck > sbkcheck._
objdump -d ./sbkcheck > sbkcheck.dump
./sbkcheck: file format elf32-i386
[cutted]
8048d25: a1 84 a4 04 08 mov 0x804a484,%eax
8048d2a: 89 c2 mov %eax,%edx
8048d2c: b8 41 8f 04 08 mov $0x8048f41,%eax [ offset 0x0000f41 in ./sbkcheck ] Error in bulk transfer
8048d31: 89 54 24 0c mov %edx,0xc(%esp)
8048d35: c7 44 24 08 17 00 00 movl $0x17,0x8(%esp)
8048d3c: 00
8048d3d: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048d44: 00
8048d45: 89 04 24 mov %eax,(%esp)
8048d48: e8 4b fa ff ff call 8048798 <[email protected]>
8048d4d: b8 ff ff ff ff mov $0xffffffff,%eax
8048d52: eb 70 jmp 8048dc4 <main+0x35a>
8048d54: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp)
8048d5b: 00
8048d5c: 8b 44 24 64 mov 0x64(%esp),%eax
8048d60: 89 04 24 mov %eax,(%esp)
8048d63: e8 70 fa ff ff call 80487d8 <[email protected]>
8048d68: 8b 44 24 4c mov 0x4c(%esp),%eax
8048d6c: 3d 01 00 02 00 cmp $0x20001,%eax !!!!! if $0x20001 getted from device !!!!
8048d71: 75 0e jne 8048d81 <main+0x317>
8048d73: c7 04 24 6b 8f 04 08 movl $0x8048f6b,(%esp) [ offset 0x0000f6b in ./sbkcheck ] Detected SBKv2
8048d7a: e8 39 fa ff ff call 80487b8 <[email protected]>
8048d7f: eb 1a jmp 8048d9b <main+0x331>
8048d81: c7 04 24 7a 8f 04 08 movl $0x8048f7a,(%esp) [ offset 0x0000f7a in ./sbkcheck ] Detected SBKv1
8048d88: e8 2b fa ff ff call 80487b8 <[email protected]>
[cutted]
I wanted to find the difference between sbkv1 and sbkv2 and sbkv3.
And I still looking for sources of sbkcheck.c and Sbkdetect.c or latest
sbkcheck/Sbkdetect
I found some info about tegrarcm () - for reflashing with u-boot bootloader but
It does not supported locked devices with an encrypted boot key, only
open devices such as the ventana, cardhu, or dalmore reference boards.
git://nv-tegra.nvidia.com/tools/tegrarcm.git
and good infos at
http_download_nvidia_com/tegra-public-appnotes
developer_download_nvidia_com/tegra
I found patents info:
www_patentmaps_com/topic/Handling_of_secure_storage_key_in_always_on_domain_1.html
Handling of secure storage key in always on domain
and this pdf www_sourceconference_com/publications/bos12pubs/android-modding-source.pdf
SBK of a Tegra device is leaked or predictable
P.S. Sorry for my bad bad English

Forgive my ignorance but what is this?

sgt. meow said:
Forgive my ignorance but what is this?
Click to expand...
Click to collapse
I think he/she is saying he/she wrote some length of zeros to /dev/block/mmcblk0 and is now in possession of a N7 brick.
The rest of it is sort of stream-of-conciousness documentation of efforts to figure out how to rescue it from that situation.
Scary thing is I understand most of what he/she is saying. Quite a bit of effort put in to this, actually.
I hope she/he succeeds. If there is anyone else working on cracking APX/nvflash/tegrarcm, they are doing so silently... so I am happy to see that someone is trying.

After relating the OP with your post, I seem to understand almost half of the post. But nvflash, sbk keys and algorithms are all but a haze to me.

I understood what you meant. It's the devvy bits regarding nvflash that frazzled me. I really do hope you succeed in your attempts.

I am on the same boat as Sgt. Meow, but you mentioned doing a back up of all the partitions. In what format did you do this? Using what? It sounds like you got NVflash to work or at least do something. If that is the case and your backup is a .img then you should be able to push that to mmcblk0p0 and have a working device again.
Sent from my LG-P999 using xda premium

I backuped from running ubuntu.
I added the command to my first message.
And I still retranslating the message to "normal English"
I think You can do it from TWRP.

I still looking for latest sbkcheck.c , Sbkdetect.c
or executable sbkcheck/Sbkdetect

www_cs_tcu_edu/people/professors/publications/sbk-tmc-2008.PDF
We need to find bivariate l-degree polynomial, like in case of Acer Iconia A500 (tegra2)

Impact(repercussion) of moonlight on lamb's testicles in a shadow

@ OP
You should not break the 10 post barrier like this. You can try helping others in other forums. That way you can earn some Thanks too (not that it should matter anyway). Please take it into consideration. That being said, I wish you all the best with your project and hope you succeed.
sgt. meow

Another very helpful info
www.google.com/patents/us20090204803.pdf

plus
http://www.google.com/patents/us20090204803

Ok, so since you used dd to make an image of your chip, you should be able to use NVflash to write that back to mmcblk0. I don't know that reflashing the entire chip has ever been done, but reflashing individual partitions via NVflash has been done and is a great way to de-brick.
Sent from my LG-P999 using xda premium

Волк said:
Ok, so since you used dd to make an image of your chip, you should be able to use NVflash to write that back to mmcblk0. I don't know that reflashing the entire chip has ever been done, but reflashing individual partitions via NVflash has been done and is a great way to de-brick.
Click to expand...
Click to collapse
Someone has reported doing this successfully for a N7?
Link please! (To my knowledge the successes with nvflash and the Asus TF2xx have not been reproduced on the N7)

Волк said:
Ok, so since you used dd to make an image of your chip, you should be able to use NVflash to write that back to mmcblk0. I don't know that reflashing the entire chip has ever been done, but reflashing individual partitions via NVflash has been done and is a great way to de-brick.
Sent from my LG-P999 using xda premium
Click to expand...
Click to collapse
I can restore from backup, when I'll get sbk

As bftb0 said, how can you even use nvflash on the N7's? Can I use the dd command on a working N7 that has CM 10.1 and twrp in apx mode to save the boot partition or the bootloader and also get the sbk?
Is there really any way to retrieve the sbk on a working N7 to date? So far I think everyone has been unsuccessful, and I have posted on several threads about on how to restore by other methods such as jtag? I think even with jtag if I could access it on the mainboard and be able to use it, I would still need complex script/software. I don't think anyone is ever going to be able to figure out how to get nvflash to work on our devices!!

androidfr33k said:
Can I use the dd command on a working N7 that has CM 10.1 and twrp in apx mode to save the boot partition or the bootloader and also get the sbk?
Click to expand...
Click to collapse
osm0sis has a thread / script in these (XDA N7) forums which allows altering lock state of an individual tablet by capturing/writing the bootloader partition using dd as you describe. But the catch is that every device performs this operation in a unique manner combining the sbk with a device serial# to uniquely encrypt/sign the boot loader - so you can not capture it from a working tablet and write it to a different (bricked) tablet.
Also, the sbk is not stored in flash memory - the flash memory is considered to be "untrusted media" by the processor. (That's what the patent documents that the OP provided links to describe)

bftb0 said:
osm0sis has a thread / script in these (XDA N7) forums which allows altering lock state of an individual tablet by capturing/writing the bootloader partition using dd as you describe. But the catch is that every device performs this operation in a unique manner combining the sbk with a device serial# to uniquely encrypt/sign the boot loader - so you can not capture it from a working tablet and write it to a different (bricked) tablet.
Also, the sbk is not stored in flash memory - the flash memory is considered to be "untrusted media" by the processor. (That's what the patent documents that the OP provided links to describe)
Click to expand...
Click to collapse
Can I capture it on my working tablet to use if I brick my tablet (same tablet)? If so then that is a great tool!!

androidfr33k said:
Can I capture it on my working tablet to use if I brick my tablet (same tablet)? If so then that is a great tool!!
Click to expand...
Click to collapse
Yes you may capture it, No it is not for brickings (due to chicken-vs-egg issues).
http://forum.xda-developers.com/showthread.php?t=2068207
The purpose of it is primarily to allow unlocking/relocking of the bootloader without wiping the user data partition.
Since it does this by writing the appropriate partition from a booted kernel (either OS or recovery), it clearly is not for "bootloader got messed up" bricks.
I mentioned it in the context of this thread (it's a little off-topic) because the devs involved had noticed in the course of their work that the binary blob of data for the bootloader is uniquely encrypted for each tablet. This is consistent with the process shown in the (.pdf) Patent filings that the OP provided.
I haven't tried it yet, so I can't vouch for it, but others have (but note the thread date, too - probably before v4.18 boot loader - I also don't know if that is significant or not). Doing this is on my "to do list", though.

Information on how to root the T-Mobile G6 [NOT A GUIDE]

Hey guys, Honestly Annoying here! I worked on rooting the G5 for about 9 months last year, and finally got it after receiving a userdebug kernel.
I spent a lot of time researching and talking with tons of different devs, and here is a list of all of the information I have collected.
UNLOCK.BIN
First of all, this is ONLY for the devices that LG officially unlocks. It is processed by fastboot (aboot partition) and unless LG unlocks it officially, it will not recognize the "fastboot flash unlock unlock.bin" command. At this point there is no point in talking about this because the T-Mobile variant does NOT accept an unlock.bin to unlock, it accepts the oem fastboot command.
TL;DR: The unlock.bin is useless for any American G6. Don't waste your time trying to spoof it.
If you still want to attempt and spoof it (for some reason), it isn't possible. Some great explanations on how it is coded and works are posted in this thread here, make sure to leave those guys a thanks.
TOT INJECTING
For the G5, this was the only way T-Mobile users could achieve root before dirtyc0w. Unfortunately, this is not a liable option for the G6 (or v20) anymore, as LG is now signing the TOTs and the LAF partition will brick the device if an unsigned TOT is flashed. I have a theory on why this is the case, but don't want to accuse anyone of something if I am wrong (if you do a bit of research about this you will understand). I would not recommend trying this out as it will brick your device.
LG LAF BACKDOOR
If you have been with the LG scene for a while, you may know about the LAF backdoor. It has been documented publicly here (PLEASE leave him a thanks!), and there are a few other things that I have discovered with this as well that are not public as of now as I am not exactly sure what to do with them (PM for details). LG did patch this tool, but part of the code still works and with some work we could possibly figure out the new code. At this point I believe this is the most likely way to flash TWRP (use the dd command), but I have not been able to look at the new LAF commands as I do not own the G6.
TL;DR: LF LAF Backdoor probably still exists, it will just take work to find it out. If someone does figure out the new codes TWRP is easily flashable
DIRTYC0W
This was patched in December/November. Don't waste your time trying this out, as it has been confirmed not to work.
This is all of the information I can think of right now, I will continue to update this thread as I can think of other things to not waste time testing.

man, good thing i didn't sell my 3t , i kind of , sort of, can't live without molesting my device.

what are the chances the at&t version will be rooted? just got mine today, really like it but no root ill be taking it back.

I believe we are on the same page of why the tot files are being signature enforced now...
Sent from my LG-H918 using XDA-Developers Legacy app

fix-this! said:
what are the chances the at&t version will be rooted? just got mine today, really like it but no root ill be taking it back.
Click to expand...
Click to collapse
I think you will be taking it back...unless you dont mind waiting for a long time.
I really like the G6. i think LG nailed it this time but for me its a paperweight since it was likely to be BL locked.
Sent from my Note 7, S7 Edge or S6

Just a heads up, carrier locked LG G5's are still unrooted. I would imagine that the G6 would follow a similar fate.

henryjumbo said:
Just a heads up, carrier locked LG G5's are still unrooted. I would imagine that the G6 would follow a similar fate.
Click to expand...
Click to collapse
I couldn't agree more. T-Mobile is the only one that allowed oem unlock in the us of all carriers so naturally it was eventually rootable.

This thread shows how to enable disabled fastboot commands on the Alcatel OneTouch Idol 3, maybe we could also use this method: https://forum.xda-developers.com/idol-3/development/6039-guide-how-to-return-fastboot-t3201077

nima0003 said:
This thread shows how to enable disabled fastboot commands on the Alcatel OneTouch Idol 3, maybe we could also use this method: https://forum.xda-developers.com/idol-3/development/6039-guide-how-to-return-fastboot-t3201077
Click to expand...
Click to collapse
Link doesn't work

Josh McGrath said:
Link doesn't work
Click to expand...
Click to collapse
Just clicked on it and it worked, you might have to go back to the first page though.

nima0003 said:
Just clicked on it and it worked, you might have to go back to the first page though.
Click to expand...
Click to collapse
That's weird, it still doesn't work for me :/ oh well, no biggie

Honestly Annoying said:
LG LAF BACKDOOR
If you have been with the LG scene for a while, you may know about the LAF backdoor. It has been documented publicly here (PLEASE leave him a thanks!), and there are a few other things that I have discovered with this as well that are not public as of now as I am not exactly sure what to do with them (PM for details). LG did patch this tool, but part of the code still works and with some work we could possibly figure out the new code. At this point I believe this is the most likely way to flash TWRP (use the dd command), but I have not been able to look at the new LAF commands as I do not own the G6.
TL;DR: LF LAF Backdoor probably still exists, it will just take work to find it out. If someone does figure out the new codes TWRP is easily flashable
Click to expand...
Click to collapse
Thank you for the information. I'd be open to trying to flash TWRP using lglaf. But too much, including my job, depends on my having a functional, non-bricked phone. If I were to give this a shot and it turns out that my phone decides it wants to punch me in the eye, would I be able to use LGUP and flash the stock KDZ and have a functioning phone again? Obviously, nobody can really give a certain "Yes" to such a question, but I'd be happy with something along the lines of, "Unless you shoot yourself in the foot and/or your phone gets struck by lightning during the flash process, you should be good."
That said, I have another question. To be honest, I don't really care if my phone is rooted or not. In fact, I like using Android Pay. All I really want to do is have a usable phone in my home, where I have almost zero mobile signal. Unfortunately, that requires making a few small changes to /system/etc/wifi/WCNSS_qcom_cfg.ini.
Last time I was in LG Land, I don't think there was yet an "lglalf" utility. There was the "send_command" utility instead. Regardless, I seem to recall using this utility to mount /system/ RW, making the changes I wanted to /system/etc/wifi/WCNSS_qcom_cfg.ini, rebooting, and having an unrooted V10 that even took OTA updates, retained my changes to that file, and had working WiFi as a result.
Any thoughts on using the same methodology with the lglaf utility on the G6? My concern is that the bootloader or some other process may be doing some kind of checksum and, if the hash doesn't match what it expects to see, it will basically crap itself and tell me my phone is not safe, etc.
P.S. I spend many work days staring at wireshark captures trying to find the source of spanning tree goofiness on networks that are /20 and /21 in size. So, staring at USB packet dumps to try to make heads or tails out of what is going on would not bother me in the slightest, should you wish to give me a push in the right direction.

I spent some time messing around with the lglaf tool today. The normal version doesn't work, most commands give error code 0x8000010a. Apparently, that is the result of some additional security LG added to the process, in the form of a handshake. I found a pull request that adds an --unlock option here: https://github.com/Lekensteyn/lglaf/pull/12 - note that the code in the pull request is not compatible with python 3, so you'll need to be on python 2 to run it. The --unlock switch is not a bootloader unlock, but it triggers the authentication handshake. Unfortunately, neither of the keys provided along with that worked with the G6. So, if there are no other changes to the laf other than a new key, figuring out the new key might be enough to make some additional progress.

any peoples out there have access to:
extra G6 boards...
or broken G6..
or bad esn/imei G6..
or bricked G6.. etc?
Would love to start poking this device but I'm still paying off my G5.
Every now n then a repair tech or service center worker comes along.. and sometimes they have access to damaged/broken devices that are just collecting dust. I'm not looking for donations or anything like that.. just need a G6 board to work with.
Hit me up on my Twitter or something if you might have access to these things... https://twitter.com/@utoprime

autoprime said:
any peoples out there have access to:
extra G6 boards...
or broken G6..
or bad esn/imei G6..
or bricked G6.. etc?
Would love to start poking this device but I'm still paying off my G5.
Every now n then a repair tech or service center worker comes along.. and sometimes they have access to damaged/broken devices that are just collecting dust. I'm not looking for donations or anything like that.. just need a G6 board to work with.
Hit me up on my Twitter or something if you might have access to these things... https://twitter.com/@utoprime
Click to expand...
Click to collapse
Autoprime, after you pay off that G5, you can call T-Mobile or contact them from Twitter and they can do JOD. 3 upgrades a year. I just paid off my G4 and am doing that now and got the S8+. Then I can jump to the V30, then jump to the Pixel 2 possible all this year.
Sent from my SM-G955U using Tapatalk

MicroMod777 said:
Autoprime, after you pay off that G5, you can call T-Mobile or contact them from Twitter and they can do JOD. 3 upgrades a year. I just paid off my G4 and am doing that now and got the S8+. Then I can jump to the V30, then jump to the Pixel 2 possible all this year.
Sent from my SM-G955U using Tapatalk
Click to expand...
Click to collapse
not a bad idea.. it's a great way to get multiple phones in a year. the only thing keeping me from hopping on JOD is that I'd probably regret giving the phones back.. never know when you need to revisit an old phone to test something. But doing something like JOD may be the only way I can get multiple phones.. we shall see when it comes time to pay off my G5
I don't even use these phones as my main device.. they never leave my desk and often never even have a sim card put in them. So if I could get my hands on just a board.. or broken phone or something that'd be most ideal for my situation. But.. we can't always get what we want now can we? :crying:

hendusoone said:
I spent some time messing around with the lglaf tool today. The normal version doesn't work, most commands give error code 0x8000010a. Apparently, that is the result of some additional security LG added to the process, in the form of a handshake. I found a pull request that adds an --unlock option here: - note that the code in the pull request is not compatible with python 3, so you'll need to be on python 2 to run it. The --unlock switch is not a bootloader unlock, but it triggers the authentication handshake. Unfortunately, neither of the keys provided along with that worked with the G6. So, if there are no other changes to the laf other than a new key, figuring out the new key might be enough to make some additional progress.
Click to expand...
Click to collapse
Yeah, I ran into some of the same error message. Check out the thread for Issue #7. (Sorry, too "new" to post a link, but it's here: https://github.com/Lekensteyn/lglaf/issues/7 ) This provides some clues as to how to possibly go about getting the right keys. I will mess around with this tomorrow.
I also noticed something about the HELO command. The protocol documentation states that arg1 is the protocol version and states, "(resp must match req.)" without further details being provided. As the documentation states, lglaf is sending a value of 0x01000001 (\1\0\0\1), but the response does not match. The response that is being sent back by the device is (little-endian) 0x01000005 (\5\0\0\1). Yet, neither the lglaf utility nor the device balk, as noted by the ability to subsequently run '!INFO GPRO \x08\x0b\0\0' and/or '!CTRL RSET'
Also, the second argument is minimum version. The device is sending a response that indicates the minimum version is 0x10000001 (\1\0\0\10). It would appear that the device is saying its minimum version is higher than our version, which is 0x01000001.
And again, not sure if it means anything at all since it does seem to be working, but for science, at least:
host to 2.2.2 (request): HELO version 0x01000001
Code:
0000 48 45 4c 4f [COLOR="Blue"][B]01[/B] 00 00 01[/COLOR] 00 00 00 00 00 00 00 00 HELO............
0010 00 00 00 00 00 00 00 00 5c b1 00 00 b7 ba b3 b0 ........\.......
2.2.3 to host (response): HELO version 0x01000005 min version 0x10000001
Code:
0000 48 45 4c 4f [COLOR="DarkOrange"][B]05[/B] 00 00 01[/COLOR] [COLOR="Red"]01 00 00 [B]10[/B][/COLOR] 00 00 80 00 HELO............
0010 02 00 00 00 00 00 00 00 9e 3c 00 00 b7 ba b3 b0 .........<......

ariesgeek said:
Yeah, I ran into some of the same error message. Check out the thread for Issue #7. (Sorry, too "new" to post a link, but it's here: https://github.com/Lekensteyn/lglaf/issues/7 ) This provides some clues as to how to possibly go about getting the right keys. I will mess around with this tomorrow.
I also noticed something about the HELO command. The protocol documentation states that arg1 is the protocol version and states, "(resp must match req.)" without further details being provided. As the documentation states, lglaf is sending a value of 0x01000001 (\1\0\0\1), but the response does not match. The response that is being sent back by the device is (little-endian) 0x01000005 (\5\0\0\1). Yet, neither the lglaf utility nor the device balk, as noted by the ability to subsequently run '!INFO GPRO \x08\x0b\0\0' and/or '!CTRL RSET'
Also, the second argument is minimum version. The device is sending a response that indicates the minimum version is 0x10000001 (\1\0\0\10). It would appear that the device is saying its minimum version is higher than our version, which is 0x01000001.
And again, not sure if it means anything at all since it does seem to be working, but for science, at least:
host to 2.2.2 (request): HELO version 0x01000001
Code:
0000 48 45 4c 4f [COLOR="Blue"][B]01[/B] 00 00 01[/COLOR] 00 00 00 00 00 00 00 00 HELO............
0010 00 00 00 00 00 00 00 00 5c b1 00 00 b7 ba b3 b0 ........\.......
2.2.3 to host (response): HELO version 0x01000005 min version 0x10000001
Code:
0000 48 45 4c 4f [COLOR="DarkOrange"][B]05[/B] 00 00 01[/COLOR] [COLOR="Red"]01 00 00 [B]10[/B][/COLOR] 00 00 80 00 HELO............
0010 02 00 00 00 00 00 00 00 9e 3c 00 00 b7 ba b3 b0 .........<......
Click to expand...
Click to collapse
I have the KILO commands here... this is the work of @FluffyMittens and our findings by using a serial port sniffer while running a word generator that sent different commands through a serial connection.
KILOCENT (this is the handshake, cleaned up)
Code:
4B 49 4C 4F 43 45 4E 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BE E3 7B 00 00 BE B4 BE B6 BE B3 BE B0
RAW HEXIDECIMAL
Code:
0x4B 0x49 0x4C 0x4F 0x43 0x45 0x4E 0x54 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (insert byte) 0xE3 0x7B 0x00 0x00 (insert byte) 0xB4
(insert byte) 0xB6 (insert byte) 0xB3 (insert byte) 0xB0
KILOMETR (cleaned up)
Code:
4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 BE B4 BE B6 BE B3 BE B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RAW HEXIDECIMAL
Code:
0x4B 0x49 0x4C 0x4F 0x4D 0x45 0x54 0x52 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x10 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (insert byte) 0xB4 (insert byte) 0xB6 (insert byte) 0xB3 (insert byte) 0xB0
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
KILOGRAM (key)
Code:
dqoev)ohnsWu\\bk`oiicmZ_lpqe\\ealp
I don't exactly know how to use these. I know that these are supposed to be "secret" but since the LG scene has gone down recently here they are. Hopefully this helps, if anyone needs anything more I have some more commands as well.

So... I tried lglaf.py with that new kilogram key, but it didn't work. Then, I went back and took another stab at updating the version with --unlock to be compatible with python 3. I was a bit more successful this time, and it is able to complete the handshake and execute commands (like ls) without erroring out. It's using the old key - the new one you provided errors out. I don't know of a safe way to test writing data to the G6, so I will leave that to someone a bit more experienced.
I have attached my updated lglaf.py to this post. Extract it to your lglaf directory overwriting the existing lglaf.py. If you don't have lglaf yet, get it here first: https://github.com/Lekensteyn/lglaf
Requirements:
Install python3, then run: pip install pycryptodomex
Once that's done, you should be able to execute commands like this:
python lglaf.py --unlock --debug -c "!EXEC ls -l /system/\0"
Note that partitions.py is not working.

hendusoone said:
So... I tried lglaf.py with that new kilogram key, but it didn't work. Then, I went back and took another stab at updating the version with --unlock to be compatible with python 3. I was a bit more successful this time, and it is able to complete the handshake and execute commands (like ls) without erroring out. It's using the old key - the new one you provided errors out. I don't know of a safe way to test writing data to the G6, so I will leave that to someone a bit more experienced.
I have attached my updated lglaf.py to this post. Extract it to your lglaf directory overwriting the existing lglaf.py. If you don't have lglaf yet, get it here first: https://github.com/Lekensteyn/lglaf
Requirements:
Install python3, then run: pip install pycryptodomex
Once that's done, you should be able to execute commands like this:
python lglaf.py --unlock --debug -c "!EXEC ls -l /system/\0"
Note that partitions.py is not working.
Click to expand...
Click to collapse
Can it run any other commands besides "ls"? Try out "id" and "whoami"

Root with CVE-2019-2215?

Anyone have any luck running [the poc exploit](https://forum.xda-developers.com/ga...ompiled-executed-zero-day-exploitcve-t3978059) for CVE-2019-2215 on an Oreo LG V20? It's listed as one of the affected devices in the news reports. I'd love to get even a temp root.
For me (LS997) the poc stops with writev returning 0x1000 (it should return 0x2000 if the poc is working).
I have played around with the poc.c source code and noticed that if I change WAITQUEUE_OFFSET to 0x90, the device crashes and reboots. Since an untrusted app isn't supposed to be able to reboot a device, this suggests that there may be an exploitable thing around there somewhere.

Looking at the kernel source on the LG site (at least for the LS997), the LGV20 does have the bug in the kernel. However, the LGV20's kernel has a different layout of struct binder_thread than the version of the kernel the poc is designed for. And unfortunately it's not just a trivial fix, because the poc assumes the waitqueue field is 16-byte aligned, while on the LGV20 it's only 8-byte aligned (because there is one less field in the struct). There is probably a way around this, but I am not good at this sort of stuff: I don't really understand how the poc works. If anybody here does, maybe we can pool our minds and work together.

arpruss said:
Looking at the kernel source on the LG site (at least for the LS997), the LGV20 does have the bug in the kernel. However, the LGV20's kernel has a different layout of struct binder_thread than the version of the kernel the poc is designed for. And unfortunately it's not just a trivial fix, because the poc assumes the waitqueue field is 16-byte aligned, while on the LGV20 it's only 8-byte aligned (because there is one less field in the struct). There is probably a way around this, but I am not good at this sort of stuff: I don't really understand how the poc works. If anybody here does, maybe we can pool our minds and work together.
Click to expand...
Click to collapse
what is the waitqueue offset in the binder_thread struct in your kernel?

chompie1337 said:
what is the waitqueue offset in the binder_thread struct in your kernel?
Click to expand...
Click to collapse
0x98=152, assuming the kernel source I downloaded is correct and assuming I counted all the fields right. Here is my count (counting 64-bits at a time):
Code:
struct binder_thread {
struct binder_proc *proc; // 1
struct rb_node rb_node; // 4
struct list_head waiting_thread_node; // 6
int pid;
int looper; /* only modified by this thread */ // 7
bool looper_need_return; /* can be written by other thread */ // 8
struct binder_transaction *transaction_stack; // 9
struct list_head todo; // 11
struct binder_error return_error; // 15
struct binder_error reply_error; // 19
wait_queue_head_t wait; // spinlock_t + list_head
struct binder_stats stats;
atomic_t tmp_ref;
bool is_dead;
struct task_struct *task;
};

hmm. i see what you mean by alignment now.
this define
Code:
#define IOVEC_ARRAY_SZ (BINDER_THREAD_SZ / 16) //25
makes me believe that the size of iovec_array[ IOVEC_ARRAY_SZ] defined on line 75, has to equal size of struct binder_thread this is because somehow, the contents iovec_array overwrites the contents of a binder_thread structure. which means, that iovec_array[IOVEC_INDX_FOR_WQ] should contain the contents of binder_thread->wait.
wait_queue_head is defined as:
Code:
struct wait_queue_head {
spinlock_t lock;
struct list_head head;
};
meaning you have to make sure that the values in iovec_array[IOVEC_INDX_FOR_WQ] correspond correctly to the wait_queue_head but also line up so the writev works. there's definitely some trickery you could do to make this work. my first thought is you know that &iovec_arrary[9].len (offset 0x98) should point to values that make sense for a wait_queue_head struct. i'm working on understanding this better, though.

don't you guys think that 0xDEADBEEFs should go away before this so-called poc start working? any ideas on that one?

GoofMan69 said:
don't you guys think that 0xDEADBEEFs should go away before this so-called poc start working? any ideas on that one?
Click to expand...
Click to collapse
that's where the use after free bug should come in.
Code:
ioctl(binder_fd, BINDER_THREAD_EXIT, NULL);
when this is called, the binder_thread structure is freed in the kernel.
immediately after the parent process calls,
Code:
b = writev(pipefd[1], iovec_array, IOVEC_ARRAY_SZ);
in the kernel, memory is allocated to copy over iovec_array from userspace. this poc depends on the pointer from this allocation, to be the same as the recently freed binder_thread memory.
then, when the child process exits, the EPOLL cleanup will use the waitqueue in the binder_thread structure, that has been overwritten with the values in iovec_array. when EPOLL cleanup unlinks the waitqueue, 0xDEADBEEF will get overwritten by a pointer in kernelspace. this has to happen just before the writev call in the parent process starts to copy over the second buffer, which gets us a kernel space memory leak.
if writev is returning 0x1000 it means the timing is off, the wait queue offset is off, the kmalloc allocation in the writev function isn't the same as the freed binder_thread, or your kernel isn't vulnerable.

One simplifying issue is that with Kernel 3.18, we don't have KASLR, so we don't need to leak the kernel address. Hence the first part of the poc is unnecessary, assuming we can get the addresses.
Are there any rooted LGV20 variants using the 3.18 kernel? If so, it might help if someone with one of these were to post a copy of /proc/kallsyms

try
lg q710 kernel 3.18
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

chompie1337, thank you for such detailed description.
So, child must exit and epoll-cleanup code should be done to the time when parent's writev() starts to copy 2nd buffer (as you say, 0xdeadbeef will be replaced by that time). But there's a sleep(2) in the child. Do you think it is appropriate? Hardly it'll take writev 2s to copy first buffer, maybe 2ms or smth?
Also, why does child call epoll_ctl(EPOLL_CTL_DEL)? Isn't it a thing, that we should NOT do for the bug to come in?

From reading the poc, it looks like deleting the event from the epoll queue, after the binder thread has terminated, (somehow) causes the pointer wq->task_list->prev to have the value &(wq->task_list->next). If the kernel allocates its copy of the iovec array in the same place as the old binder_thread structure was, the wq->task_list->prev pointer will fall in an iov_base location in the array, and hence an iov_base will get overwritten. Moreover, the poc ensures this happens AFTER the kernel has checked that the iovec is one the user has permission to use for reading or writing. In the clobber function, then, the epoll event deletion makes the iov_base point to a position in the kernel heap--indeed, inside the kernel's pre-checked copy of the iovec array--which the poc leverages to write data to any location the kernel has access to (by first rewriting the next little bit of the pre-checked iovec array).
Unfortunately, with the 3.18 kernel, the event deletion causes a value to be written to an iov_len location in the iovec array, which allows one to change the amount of data being written but not the location being written to. This is good enough for crashing the device and probably for leaking a lot of data, but I have not been able to figure out how to use it for rooting.
If the kernel could be manipulated to allocate its copy of the iovec array 8-bytes further down in the heap, that would solve the problem, but I don't know if it can be done: I don't think the kmalloc-512 allocator will do that. But I could be wrong. Otherwise, I think one needs some other technique than the readv/writev trick used in the poc.
I am, unfortunately, quite new to this kind of thing. An experienced kernel hacker can probably see in an instant what to do.

I'm not sure the PoC crash is entirely because of the kernel version. My device (not the V20, just here to cooperate to develop the exploit) has kernel version 4.4 but it crashes at the first EPOLL_CTL_DEL. Where does the V20 crash when you change the WAITQUEUE_OFFSET?

Oh, I see... So writev would block after writing first dummy_page_4g_aligned of length 0x1000, because pipe's queue is full (pipe size is also 0x1000). So there isn't actually any timing tweak required, right?
Btw, i've managed to get some memory from kernel (from my device, not the V20) and non-null curent ptr, but kernel_read fails, even when reading 4 bytes from cur_ptr without any offset
Can anyone comment on line 119:
current_ptr = *(unsigned long *)(page_buffer + 0xe8);
What is 0xE8? Where does it come from?
Another strange thing: if i run poc with wd offset like for ex. 0xb0 right after reboot - i get another reboot right away, repeatability 100%. but if i run at first with offset like 0xc0 - of course i get writev 0x1000 and poc exits, but if i rerun poc with 0xb0 right after that - it will not cause reboot, but correct leak of mem happens

GoofMan69 said:
Oh, I see... So writev would block after writing first dummy_page_4g_aligned of length 0x1000, because pipe's queue is full (pipe size is also 0x1000). So there isn't actually any timing tweak required, right?
Click to expand...
Click to collapse
The sleep(2) is needed to make sure the THREAD_EXIT, which frees the binder_thread object, as well as the subsequent allocation of the iovec buffer in kernel memory take effect before the EPOLL_CTL_DEL. The pipe blocking happens only after the the EPOLL_CTL_DEL.
Can anyone comment on line 119:
current_ptr = *(unsigned long *)(page_buffer + 0xe8);
What is 0xE8? Where does it come from?
Click to expand...
Click to collapse
I'm guessing that 0xe8 comes from the author's looking at a hexdump of the page to find where there is a pointer to kernel stuff to help figure out where the address limit is held in memory, so it can be clobbered.

GoofMan69 said:
Oh, I see... So writev would block after writing first dummy_page_4g_aligned of length 0x1000, because pipe's queue is full (pipe size is also 0x1000). So there isn't actually any timing tweak required, right?
Btw, i've managed to get some memory from kernel (from my device, not the V20) and non-null curent ptr, but kernel_read fails, even when reading 4 bytes from cur_ptr without any offset
Can anyone comment on line 119:
current_ptr = *(unsigned long *)(page_buffer + 0xe8);
What is 0xE8? Where does it come from?
Another strange thing: if i run poc with wd offset like for ex. 0xb0 right after reboot - i get another reboot right away, repeatability 100%. but if i run at first with offset like 0xc0 - of course i get writev 0x1000 and poc exits, but if i rerun poc with 0xb0 right after that - it will not cause reboot, but correct leak of mem happens
Click to expand...
Click to collapse
page_buffer + 0xe8 should point to the current thread's thread_info structure, where the addr_limit is held
---------- Post added at 08:35 AM ---------- Previous post was at 08:19 AM ----------
arpruss said:
From reading the poc, it looks like deleting the event from the epoll queue, after the binder thread has terminated, (somehow) causes the pointer wq->task_list->prev to have the value &(wq->task_list->next).
Click to expand...
Click to collapse
yes, you are correct. i believe it is because remove_wait_queue is called for the wait_queue_head found in the binder_thread structure which eventually results in a call to __list_del where this happens:
http://androidxref.com/kernel_3.18/xref/include/linux/list.h#87

I can now leak data on my LGV20 with the 3.18 kernel using this modified poc: https://github.com/arpruss/cve2019-2215-3.18
The key is to realize that the following happens during the after-free cleanup at least on my 3.18.71 kernel:
1. The spinlock appears receive the value 0x10001
2. The prev and next pointers in the queue head point to the queue head.
If everything works, you will have a bunch of hex data, which starts with two 8-byte pointers with equal values.
This may or may not get us closer to actually elevating privileges, but I thought I'd share it to help others.
Code:
1|elsa:/data/local/tmp $ uname -a
Linux localhost 3.18.71-perf+ #1 SMP PREEMPT Tue Jul 17 14:44:34 KST 2018 aarch64
elsa:/data/local/tmp $ ./poc98
Starting POC
PARENT: Calling WRITEV
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
CHILD: initial page
CHILD: dummy data
CHILD: leak data
writev() returns 0x12001
CHILD: Finished write to FIFO.
PARENT: Done with leaking
00000000 a0 f8 c4 f3 c0 ff ff ff a0 f8 c4 f3 c0 ff ff ff |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

arpruss said:
I can now leak data on my LGV20 with the 3.18 kernel using this modified poc: https://github.com/arpruss/cve2019-2215-3.18
The key is to realize that the following happens during the after-free cleanup at least on my 3.18.71 kernel:
1. The spinlock appears receive the value 0x10001
2. The prev and next pointers in the queue head point to the queue head.
If everything works, you will have a bunch of hex data, which starts with two 8-byte pointers with equal values.
This may or may not get us closer to actually elevating privileges, but I thought I'd share it to help others.
Code:
1|elsa:/data/local/tmp $ uname -a
Linux localhost 3.18.71-perf+ #1 SMP PREEMPT Tue Jul 17 14:44:34 KST 2018 aarch64
elsa:/data/local/tmp $ ./poc98
Starting POC
PARENT: Calling WRITEV
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
CHILD: initial page
CHILD: dummy data
CHILD: leak data
writev() returns 0x12001
CHILD: Finished write to FIFO.
PARENT: Done with leaking
00000000 a0 f8 c4 f3 c0 ff ff ff a0 f8 c4 f3 c0 ff ff ff |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Click to expand...
Click to collapse
Nice work. Now without the spinlock issue crashing, the kernel write is failing. This is because the recvmsg implementation for the 3.18 kernel checks each address right before it's copied over to the buffer. In the writev/readv the access check for addresses are all done at once at the beginning of the call, so that's why the leaking works. Working now on trying to use readv instead of recvmsg

chompie1337 said:
Nice work. Now without the spinlock issue crashing, the kernel write is failing. This is because the recvmsg implementation for the 3.18 kernel checks each address right before it's copied over to the buffer. In the writev/readv the access check for addresses are all done at once at the beginning of the call, so that's why the leaking works. Working now on trying to use readv instead of recvmsg
Click to expand...
Click to collapse
It was tricky to get it working, but I can now write to an arbitrary kernel address using: https://github.com/arpruss/cve2019-2215-3.18/blob/master/poc98-overwrite-pipe.c
Unfortunately, one more ingredient is needed: I need the address of the thread_info structure in order to modify addr_limit. On 4.4+, this is easy, as it's part of the task_struct, which the leaked current_ptr points to. On 3.18, thread_info is at the beginning of the kernel stack. So what we need to do is to leak the kernel stack location. If you know how to do that -- e.g., extracting it in some way from the big kernel heap leak -- let me know.
Or one use some other method. For instance, one can heap spray with a bunch of struct file objects, use the big kernel heap leak to find one of the sprayed objects (e.g., one can seek to a unique random location in a sparse file, and search for that offset in the leaked kernel heap), and modify its ops pointer to point to a doctored list of ops that calls a user function. I think this should work, unless we're unlucky and the binder_thread object is not anywhere near one of the sprayed file objects.
Or else if someone has the exact same kernel on a rootable device, they could send me the output of cat /proc/kallsyms, and one could modify some syscall to call a user function.
Now that I have a big kernel heap memory leak plus arbitrary address writing it's just a matter of time before we have a full exploit, I expect.

arpruss said:
It was tricky to get it working, but I can now write to an arbitrary kernel address using: https://github.com/arpruss/cve2019-2215-3.18/blob/master/poc98-overwrite-pipe.c
Unfortunately, one more ingredient is needed: I need the address of the thread_info structure in order to modify addr_limit. On 4.4+, this is easy, as it's part of the task_struct, which the leaked current_ptr points to. On 3.18, thread_info is at the beginning of the kernel stack. So what we need to do is to leak the kernel stack location. If you know how to do that -- e.g., extracting it in some way from the big kernel heap leak -- let me know.
Or one use some other method. For instance, one can heap spray with a bunch of struct file objects, use the big kernel heap leak to find one of the sprayed objects (e.g., one can seek to a unique random location in a sparse file, and search for that offset in the leaked kernel heap), and modify its ops pointer to point to a doctored list of ops that calls a user function. I think this should work, unless we're unlucky and the binder_thread object is not anywhere near one of the sprayed file objects.
Or else if someone has the exact same kernel on a rootable device, they could send me the output of cat /proc/kallsyms, and one could modify some syscall to call a user function.
Now that I have a big kernel heap memory leak plus arbitrary address writing it's just a matter of time before we have a full exploit, I expect.
Click to expand...
Click to collapse
Amazing work! Going to try it out now. How do you know that current_ptr points to task_struct? On my Pixel (3.18 kernel) current_ptr points to thread_info. Wondering why that's different?
edit: nvm, i see now. it's in an offset of the binder_thread structure.

arpruss said:
It was tricky to get it working, but I can now write to an arbitrary kernel address using: https://github.com/arpruss/cve2019-2215-3.18/blob/master/poc98-overwrite-pipe.c
Unfortunately, one more ingredient is needed: I need the address of the thread_info structure in order to modify addr_limit. On 4.4+, this is easy, as it's part of the task_struct, which the leaked current_ptr points to. On 3.18, thread_info is at the beginning of the kernel stack. So what we need to do is to leak the kernel stack location. If you know how to do that -- e.g., extracting it in some way from the big kernel heap leak -- let me know.
Or one use some other method. For instance, one can heap spray with a bunch of struct file objects, use the big kernel heap leak to find one of the sprayed objects (e.g., one can seek to a unique random location in a sparse file, and search for that offset in the leaked kernel heap), and modify its ops pointer to point to a doctored list of ops that calls a user function. I think this should work, unless we're unlucky and the binder_thread object is not anywhere near one of the sprayed file objects.
Or else if someone has the exact same kernel on a rootable device, they could send me the output of cat /proc/kallsyms, and one could modify some syscall to call a user function.
Now that I have a big kernel heap memory leak plus arbitrary address writing it's just a matter of time before we have a full exploit, I expect.
Click to expand...
Click to collapse
Isn't thread_info pointed by the stack field of task_struct?