Custom ROM Development begins for Moverio BT-200!! - Moverio BT-200 General

Howdy!
I have gone through the painstaking process of contacting Epson about kernel source for the BT-200 as the only Android version available officially is Android 4.
Having jumped through these hoops, I have gotten an OFFICIAL copy of the Kernel source code required to create a custom ROM.
Now the fun parts begin!
Bootloader needs to be unlocked (assuming it's locked to begin with), a flashing process needs to be established, and security checks need to be bypassed, and we'll finally be free from an old, oppressive Android environment!
I understand the community surrounding the BT-200 is quite small developer wise. I am going to be working on my own to do this assuming my attempt to reverse-engineer the display fails (seems to be MIPI DPI, possible to drive but not exactly ideal) and update with whatever progress I make.
The official link for the kernel source can be found HERE
Archive.org link HERE in case the above is removed for any reason.
SHA-1: 827B9352DB3001F4D018EF743CED2441AAF5589B
File hash was calculated off of my original download. Any copies you get from the official or separate sources should match it, if you are worried about the file's integrity.
I'm not sure the above is meant to be public but I doubt I can be punished for sharing a public facing link.
Feel free to ask for any additional information here, whether related to ROM development or hardware reverse-engineering. I am working on this from a hobby standpoint but I am excited to see this device get a new lease on life!

Can you please keep me informed of the developments?

Hiya, any updates on this front? The ancient Android 4 on my rooted BT-200 really does make it quite useless as most apps simply can't run on the thing due to the old Android. And now my Play Store won't sign in to Google anymore. (Not sure if there's a way to fix that with a more up-to-date but not fully up-to-date enough to not work on Android 4 at all version of the Play Store)
I wish I could help out but I know nothing about Android ROM development. I've built the Linux kernel and made some custom distros for PC x86, but as far as Android goes, I don't know much about it's internals other than how to use ADB.
EDIT:
In case anyone's curious how I got mine, since there seem to be so few owners of these out there, I thought I'd tell the tale. Classic story really, tech startup has big dreams of taking the world by storm with their totally genius idea that's never been tried before, buys like 50 advanced (*at the time, probably) AR goggles, develops apps for it, goes bust after like 5 minutes, liquidates their assets, and gives away whatever they can't sell for free.
Funnily enough, I know a guy who got a free Google Glass the exact same way. Yep, the startups never learn. Hold on, I also know someone working for a company doing Hololens stuff... Uh oh.

I recently bought one of this devices as used one. Now it is open and its resistance against being hacked is crumbling away.
I plan to port postmarketos to it, I have brought some initial support for half a dozen ebookreaders to mainline linux kernel (and mostly full support in pmOS for some of them).
So the BT200 will probably have to give up its resistance quickly.
What kind of device do you have? The retail one (without adb initially) or the developer one (with adb).
There is gpio-138 to turn on (by shorting it to GND, pin is configured with internal pullup) serial console (the group of 4 holes on the board, 1.8V!!!). Not found where it is yet, but at least console output can be enabled from a running system using
devmem2 0x4A100144 h 0x118
devmem2 0x4A100146 h 0x0
I am wondering what JP1 on the board is for, it looks quite interesting. That is a little braindump.
I hopefully found some more time this weekend to verify some more information I have.

andi44 said:
I recently bought one of this devices as used one. Now it is open and its resistance against being hacked is crumbling away.
I plan to port postmarketos to it, I have brought some initial support for half a dozen ebookreaders to mainline linux kernel (and mostly full support in pmOS for some of them).
So the BT200 will probably have to give up its resistance quickly.
What kind of device do you have? The retail one (without adb initially) or the developer one (with adb).
There is gpio-138 to turn on (by shorting it to GND, pin is configured with internal pullup) serial console (the group of 4 holes on the board, 1.8V!!!). Not found where it is yet, but at least console output can be enabled from a running system using
devmem2 0x4A100144 h 0x118
devmem2 0x4A100146 h 0x0
I am wondering what JP1 on the board is for, it looks quite interesting. That is a little braindump.
I hopefully found some more time this weekend to verify some more information I have.
Click to expand...
Click to collapse
I'm not sure if mine is a retail unit or not, but if adb is only enabled on dev units then it must be a dev unit, it in fact comes with developer mode already enabled, even when you do a factory reset. So I was able to adb into it fine. Makes sense mine was a dev unit given where it comes from, too.
I've also got it rooted now, though like I mentioned the Play Store won't sign in.
Still, sounds like some awesome reverse engineering you're doing there. I had to open mine up just to unplug and replug the battery cable. It was so dead that it wouldn't charge or come on, but that seemed to kick it back to life and now it holds a charge.

I played a bit around with reconfiguring boot order via software (persists until next cold boot),
Serial console output:
[ 110.104614] SysRq : Emergency Remount R/O
[ 110.116455] EXT4-fs (mmcblk0p8): re-mounted. Opts: (null)
[ 110.133239] EXT4-fs (mmcblk0p11): re-mounted. Opts: (null)
[ 110.155792] EXT4-fs (mmcblk0p9): re-mounted. Opts: (null)
[ 110.165161] EXT4-fs (mmcblk0p10): re-mounted. Opts: (null)
[ 110.172668] Emergency Remount complete
[ 111.113891] SysRq : Resetting
[...]
-> Some oopses left out
[ 111.233093] r7:c08601a0 r6:600001d3 r5:00000001 r4:c0825Android+ ([email protected]) (gcc version 4.4.1 (Sourcery G++ Lite 2010q1-202) ) #1 SMP PREEMPT Sun Feb 22 04:57:56 UTC 2015
[ 111.258514]
-> last words from the old kernel
[email protected]!
-> serial boot recovery protocol, but timed out and boot starts from uSD
U-Boot SPL 2022.10-dirty (Nov 05 2022 - 21:04:17 +0100)
OMAP4460-GP ES1.1
Trying to boot from MMC1
-> apparently RAM is at least a bit correctly setup, main uboot is not ready yet,
SPL was at 0x20000 of uSD.
Conclusion: you can boot bootloaders without cryptographic protection on that device.

The tool for reconfiguring boot order (including source) until next power cycle is attached. It can be executed on adb shell as root. It also prints out some debug information on boot order wired in the hardware, reconfigures boot order and reboots.
If I understand it correctly it is: 0b110110 MMC2(1) USB(1) UART MMC1
MMC2 = internal eMMC, MMC1= uSD slot, USB(1)= some TI specific usb recovery boot. So if we provoke a failure on eMMC boot on some way, probably in the end the uSD is examined.
My tools sets the order to UART, USB, uSD card. Without opening the device, you will see the usb device for a few seconds. I guess the battery does *NOT* get charged in that situation (and then maybe you have to detach/reattach the battery to have it started again, happened to me), so power off the device by moving the power switch for a long time after playing with this tool and then you can power it on as usual to boot to the original system.
I have managed to port u-boot 2022.10 to that device, so that it can load stuff from the uSD card. I will add some documentation, but for now it is just the branch v2022.10-epson on https://github.com/akemnade/u-boot
There is omap4_embt2ws_defconfig and a script install-epson-bt200-sdcard.sh to install it to a uSD card.
It is still quite rough.
Next thing I will do is start kernel hacking with that device.
I will keep you up to date on further progress.

Some updates, the most interesting things, Pointers to further documentation will follow.
Progress is a bit slower than expected. But by playing around with alternate pullup and pulldown in pinmux setting of gpio-138 I could find the signal on the pcb. It is indeed at JP1 (backside of PCB near volume down button).
If you short it, also factory U-Boot begins talking. The 1.8V serial console is at CN1. You can break into u-boot and start e.g. fastboot. u-boot also reads the file sdboot.scr from the first fat partition of the inserted uSD-card and executes that as u-boot script if it passes censorship by the check_code command. That means that if that censorship is understood and not too hard, installation/booting of alternative systems can be started by if just inserting a specially-crafted uSD-Card before boot. No need to open the case or do any rooting before.
Anyone seen the source code of factory u-boot? What was the process to get the kernel source?
I could use help on reverse-engineering that check_code command or maybe just some creative ideas what might be accepted.
I have also managed to boot a patched 6.0.2 kernel now, but not many things are working yet.

I have finally put together some documentation here:
Epson Moverio BT-200 (embt2ws) - postmarketOS
wiki.postmarketos.org
Home
Linux kernel source tree. Contribute to akemnade/linux development by creating an account on GitHub.
github.com
Home
"Das U-Boot" Source Tree. Contribute to akemnade/u-boot development by creating an account on GitHub.
github.com
Display backlight is working now, next thing to tackle is really the display.

Related

[Q] Quick Method of Mass Enterprise Deployment Custom ROM's for Nexus 7?

Is there any way to image a custom ROM (for example) 10 Nexus 7 tablets at once? I ask as my job is trying to figure out a time-saving solution as most Google searches and forum searches say that it's a one-by-one ordeal.
Don't think so... Although flashing through fastboot or recovery really doesn't take too long.
Call up Asus and tell them you want to buy 10,000 tablets @ MSRP - but with your ROM on it. 100% time savings.
If that doesn't work, you are going to need to unlock the bootloader for each. That is only a one by one if you have just the one laptop.
Borrow some extra laptops and go hire some day laborers down at the local Home Depot. Maybe buy some USB hubs and extra cables if the laborers speak your local language and can follow instructions well.
Before that all happens you could cobble together your own boot image which manually brings up WiFi, mounts a SMB share from your WiFi LAN, downloads your ROM across wifi and then flashes that ROM. (You only need a command file in /cache/recovery to get somebody's else's non-graphical /sbin/recovery started on that job) A 5 Mb boot image will dance down the USB cable in a couple seconds, and the cable can be yanked almost as soon as the boot begins. After that, the tablet takes over doing your scripted evil bidding without human intervention.
For that, you will need only a kernel that deals with CIFS mounts and a non-graphical /sbin/recovery. But lucky you; someone has already built them for you and and you can kype them right off of XDA for free. Write your scripts and fire up mkbootimg.
Buy both devs a cup of coffee each and tell your manager that you got some day laborers to do all the work. Yay! No insurance premiums or workman's comp!
Promotion time? Yes. Assuredly. Happy days.
korockinout13: That was on par of what I was expecting... =\
bftb0: I wish it was 10,000+ units LOL! It's more like an academic deployment of 50 - 100 I'd estimate.
On the latter idea, is the custom kernel stuff in a Development section sticky? If not, do you have a link to it? Cause honestly that sounds like the best and most pain-free way of doing the images: push the boot image via USB, yank the tablet from the USB cable and put it on a charger, then continue to the next tablet.
The main reason I am asking is cause I'll be doing the imaging and I really don't want to babysit 50 - 100 Nexus 7 tablets on top of doing my daily duties. Being able to do a semi-automated deployment would be awesome and allow me to keep productive.
I have looked into this for a couple hours.
It might indeed be possible, but not without quite a bit more work. In fact, a significant enough effort that it might actually take someone unfamiliar with the territory more time than it takes to flash 100 tablets (I estimate that effort at about somewhere between 15 and 20 man-hours if done in a serial fashion with one "flashing station". Seems like a better approach would involve more than one "flashing station", though.)
I looked at current CWM and TWRP recoveries. In terms of pre-built stuff that is symlinked to the busybox, I note that TWRP have "tftp" and "ftp" and "wget", whereas CWM doesn't symlink any tool name with network functionality to it's busybox. The thinking here was that if a CIFS mount could be avoided by pulling file(s) down to the tablet with wget or ftp, that could simplify things - even raw IP could be used.
TWRP (and CWM) configures the kernel with
CONFIG_CIFS=m
but neither provide the kernel modules in their shipped recovery, nor the proprietary Broadcom drivers for the Broadcom 4330 WiFi/Bluetooth combo phy. (The latter is readily available though).
I kanged the latter into a booted TWRP recovery manually, and the firmware load seemed to take but there were other dhd_bus errors. Even if it had taken, there is still an lack of wpa_supplicant. That can be overcome by yanking one from elsewhere, but most of them are dynamically linked. That's not a big deal either - the supporting linker and shared libraries could in principle also be kanged into the recovery ramdisk as long as there is enough space in the boot partition. You have to recursively examine the shared libraries for dependencies though - one can pull in others that are not first-descendant dependents of "wpa_supplicant". (It needs stuff like SSL libs, etc).
But there is more; for example, examining the config for TWRP 2.4.1.0:
grep BCM config
# CONFIG_ARCH_BCMRING is not set
# CONFIG_BT_HCIBCM203X is not set
# CONFIG_BCM4329_RFKILL is not set
CONFIG_BCM4330_RFKILL=y
# CONFIG_BCM4329 is not set
CONFIG_BCMDHD=y
CONFIG_BCMDHD_FW_PATH="/system/vendor/firmware/fw_bcmdhd.bin"
CONFIG_BCMDHD_NVRAM_PATH="/system/etc/nvram.txt"
CONFIG_BCMA_POSSIBLE=y
# CONFIG_BCMA is not set
# CONFIG_BCM_WIMAX is not set
Note those paths in /system. I mention this because the recovery generally mounts the (flash memory) system partition right on top of /system in order to restore files during a ROM installation - which covers up any file contents stored below that mount point in the ramdisk during the time that the mount is active (file restore operations being performed into flash memory).
Same thing wpa_supplicant. Among other things, it wants to read things out of /data/misc/wifi/ e.g. wpa_supplicant.conf
Mount /data and that stuff gets covered up as well.
It might turn out that all that stuff only needs to to be read once; so I suppose if you could get the wlan0 interface configured to a pre-defined AP SSID (with no encryption and no authentication!), maybe that's only a minor issue.
Probably rather than kanging files this way and that, the right way to approach this is to clone the TWRP git repository, and modify paths and the build tree to have firmware and wpa_supplicant support infrastructure not live in either /system or /data - that way you could mount whatever you want at /data and /system without bolluxing up WiFi state management.
Or, mod the /sbin/recovery and "updater-binary" code to mount the system and data partitions at temporary mount points (instead of /system and /data) for the purpose of unpacking the ROM archives into their destination filesystems. Then any supporting firmware/configuration files for WiFi support could be done out of the ramdisk, and would not run the risk of being "covered by mounts".
Well, cheers. I'm not sure I should carry the ball on this any further, unless you have some coffee money on you.
It is tangentially related to understanding how to get Ad-hoc WiFi working, and I would like to see that though.
Maybe. Maybe not.
Good luck

[SUPPORT] Ouya Boot Menu Support Thread

Hello everyone,
This thread previously was a discussion area for the Ouya Boot Menu feature during its early development.
It's now being transitioned to a support area. The new project description/download page is at:
http://forum.xda-developers.com/showthread.php?t=2499673.
Thanks!
CWM Bootloop
Hal9k+1 said:
Hello everyone, attached is the ZIP of an updated CWM Recovery IMG file.
This image is based on the latest stock Ouya kernel in GitHub. The kernel contains some newer HDMI code, which will hopefully increase the chance of getting the CWM graphics showing up properly. I also turned off HDMI’s HDCP in the compile (not needed for a utility partition such as this), and grabbed a patch from Kulve’s Ouya kernel fork to really ensure HDCP bypass.
More importantly, the image contains Tasssadar’s excellent work involving KExec-HardBoot. This technology should allow for the implementation of a “fastboot boot”-related capability from a running ROM, enabling kernel chain loading. The recovery image in particular will be a place to practice with KExec-HardBoot, and come up with a booting method that could eventually be flashed to the boot/kernel partition.
It is fine (and recommended) to fastboot to this image as a quick verification of things. However, it will be necessary to flash to the Recovery (“SOS”) partition for proper testing of KExec-HardBoot, since there’s an embedded reboot (to Recovery in this case) in there. Do *NOT* flash this to the Boot.
A simple chain load test can be done by extracting “zImage” from this image, and “initramfs.cpio.gz” from your current ROM kernel. (Included is “unmkbootimg” that can help here - runs on Linux.) Push these to /tmp on the Ouya while it is running this image. Then enter the Ouya shell and do:
kexec --load-hardboot zImage --initrd initramfs.cpio.gz --mem-min=0xA0000000 --command-line=”$(cat /proc/cmdline)”
kexec -e
It should come up with this new kernel under your current ROM’s environment. As verification, you should see kexec files under /sys/kernel.
I’m looking to implement a basic chain loading application. It would come up before the Recovery and ADB services, and do the following:
% Pause for a bit, to allow any Alt-SysRq keyboard action (jump to Recovery or Bootloader) that may be needed.
% Check for any attached USB mass-storage devices (e.g., thumb drive), and look for the file “kernel.img”. Pull it in and boot it if present.
% If that failed, then look to “/system/kernel.img” on the Ouya itself, and boot it.
% And if that didn’t pan out, then exit and allow Recovery/ADB services to come up.
I hope all of this will be of help to others along the way!
Click to expand...
Click to collapse
Will this help with the problem I have?..
New update today it downloads automatically and then reboot to CWM and it fail verification...reboot system and it does all over again?...Any ideas Plz
View2Askew said:
Will this help with the problem I have?..
New update today it downloads automatically and then reboot to CWM and it fail verification...reboot system and it does all over again?...Any ideas Plz
Click to expand...
Click to collapse
Sorry, I'm not sure I understand. It sounds like the new stock firmware update is failing to go in, perhaps because of consistent download corruption. Whether you're actually being dropped in to the recovery partition is unclear. You might try the download again with the other networking type (Ethernet vs WiFi). You might also just disconnect from the network for the time being, and see if you remain in the firmware without interruption. From there you can consider setting up ADB to see if you can administer the Ouya from a PC.
My post is more for the developers at heart, just in case my investigation piqued anyone's interest. Ideally the post would go in the Development section, but I evidently need a few more posts here to unlock that area.
Best of luck!
Dual booting
Yes, please do enable dual/multi booting
Is there something I can do to help in that regard?
kulve said:
Yes, please do enable dual/multi booting
Is there something I can do to help in that regard?
Click to expand...
Click to collapse
Thanks kulve, and thank you for the kernel patch set. I need to get familiar with the offerings there.
I don't see any blockages in my plan so far; I just need to start in and see what comes up. At least it's a better feeling than the dead-ends encountered with the U-Boot and regular KExec investigations.
Someone more enterprising could possibly port in the MultiROM project, but I'll stick with this. Will let you know if I get stuck.
My findings so far...
- I've finally decided that shutting off HDCP in the build does nothing to help avoid the funky pink/purple squeezed screen that sometimes appears when CWM comes up. With my Asus monitor, I see the issue when the monitor was in sleep mode. Likewise, if I can switch the monitor to HDMI input at the same time as starting Recovery, then it's fine. It may be possible to hack in a fix by somehow starting and closing an HDMI session shortly before CWM itself starts. (I don't want to fight this too hard but would be nice to resolve.)
- I see how to pull the kernel and ramdisk out of an Android image (on the Ouya itself), so that they could be passed to KExec-HardBoot. I've done it with a script as a test but it may end up in an executable.
- I tried out a USB thumb drive. It's detected but no block device is made available under /dev -- I've finally decided that support is likely in a kernel module, which does not exist on the Recovery image. I'm probably not going to sweat this due to the next item.
- I notice that the CWM application can read the Ouya power button as something comparable to a keyboard key press. Borrowing this capability may allow us to count the button presses in a limited time range, and thus boot an appropriate image. (Would be easier than dealing with the pairing of the controller, but at least still wouldn't require a keyboard.) With this line of thought, I'm thinking the main image could sit in /system while any alternates could be in /sdcard or /data.
So in general, studying the code of the CWM application appears to be the next direction. Thanks - feel free to send any ideas.
Hal9k+1 said:
- I've finally decided that shutting off HDCP in the build does nothing to help avoid the funky pink/purple squeezed screen that sometimes appears when CWM comes up. With my Asus monitor, I see the issue when the monitor was in sleep mode. Likewise, if I can switch the monitor to HDMI input at the same time as starting Recovery, then it's fine. It may be possible to hack in a fix by somehow starting and closing an HDMI session shortly before CWM itself starts. (I don't want to fight this too hard but would be nice to resolve.)
Click to expand...
Click to collapse
What does the rendering in CWM? Is it Android or something lower level? I think my kernel has better HDMI support but for that the software needs to use that explicitly instead of the default one as there is not internal LCD panel (/dev/graphics/fb0 vs. fb1).
kulve said:
What does the rendering in CWM? Is it Android or something lower level? I think my kernel has better HDMI support but for that the software needs to use that explicitly instead of the default one as there is not internal LCD panel (/dev/graphics/fb0 vs. fb1).
Click to expand...
Click to collapse
It does look to be low-level, as CWM directly opens /dev/graphics/fb0 and uses ioctl() on it. I've decided to try my own compile of CWM as it does look to be a nice base for the booting effort. Will definitely look to your patches for the improved HDMI when I'm all ready -- thanks!
Hal9k+1 said:
It does look to be low-level, as CWM directly opens /dev/graphics/fb0 and uses ioctl() on it. I've decided to try my own compile of CWM as it does look to be a nice base for the booting effort. Will definitely look to your patches for the improved HDMI when I'm all ready -- thanks!
Click to expand...
Click to collapse
I noticed your comments related to this on the "Ouya CWM Recovery" thread but I'm not allowed to post there, so I'll post here.
Or actually repost as I'm mostly repeating myself. I had all kinds of issues in getting output using /dev/graphics/fb0 in Linux with the stock Ouya kernel but after some fixes the fb1 seems to work quite reliable. I get the output even if I don't have HDMI plugged in during the boot and it chooses the right resolution both for my TV (1080p) and for my monitor (1680x1050).
To all: I have updated the attachment that's present on the first post. I've synced to the latest Ouya kernel and pulled in the next HDMI patch set from Kulve. My HDMI issue now appears to be fully resolved.
Kulve: Thanks so much for refocusing me! I should have grabbed the patch from day 1, but that summary description had me a bit spooked. Note that I kept the HDMI/PRIMARY symbol enabled, so there's still only the fb0 device on this kernel.
With this handled and due to my thinking in general, I'm going to back away from trying to compile CWM itself -- I don't want to invest in CM10.1's environment at this time. Instead I will borrow CWM's UI and input technology to build an independent front-end with this Ubuntu/glibc environment I have working. My idea is to release another Recovery image when that's ready so we'll have a chance to practice/debug before moving to the Boot image.
Hal9k+1 said:
Kulve: Thanks so much for refocusing me! I should have grabbed the patch from day 1, but that summary description had me a bit spooked. Note that I kept the HDMI/PRIMARY symbol enabled, so there's still only the fb0 device on this kernel.
Click to expand...
Click to collapse
Hit the Thanks button
Anyway, do you have your kernel source code somewhere? Being able to use multiple resolutions on HDMI while keeping it as primary might be something that many Ouya Android gamers want as they might be able to play at 720p then.
ooo nice, ill try it out and see what happens
kulve said:
Hit the Thanks button
Anyway, do you have your kernel source code somewhere? Being able to use multiple resolutions on HDMI while keeping it as primary might be something that many Ouya Android gamers want as they might be able to play at 720p then.
Click to expand...
Click to collapse
Done! :laugh:
My modified files were tarred up and placed in the ZIP; let me know of any possible issue. I'm not planning on a GIT account, but anyone may feel free to pull anything back to their project. Also I understand that sticking with HDMI/PRIMARY may reduce some of the capability/flexibility you're seeing, but I wanted to stay honored to the Android/CM layout expectation if possible.
Hal9k+1 said:
Done! :laugh:
My modified files were tarred up and placed in the ZIP; let me know of any possible issue. I'm not planning on a GIT account, but anyone may feel free to pull anything back to their project. Also I understand that sticking with HDMI/PRIMARY may reduce some of the capability/flexibility you're seeing, but I wanted to stay honored to the Android/CM layout expectation if possible.
Click to expand...
Click to collapse
Any chance of getting some concise installation instructions?
zondajag said:
Any chance of getting some concise installation instructions?
Click to expand...
Click to collapse
Here's a quick executive summary until I can update the 1st post.
I'm reminded there's another XDA project (Ouya Safe Recovery) with a very similar goal as this, and works by reversing the Boot and Recovery concepts. However it's completely incompatible with us, and those users should not be doing any flashing -- at least not until we have a Boot image ready.
First step is to get rcvy092613.img to the Ouya in its /tmp directory. This may be done with an "adb push rcvy092613.img /tmp" command, or can by done through Secure Copy if an appropriate SSH server is set up.
Next step is to access the Ouya shell, either running from the main ROM or from a Recovery ROM. Be sure to become root (ensure "#" in the prompt) as needed.
Run the following to back up the old image:
cd /dev/block/platform/sdhci-tegra.3/by-name/
dd if=SOS of=/sdcard/old_rcvy.img
Make sure the new image is correct - should see "2a882d1ba8c2d543503cacb49ab0d397":
md5sum /tmp/rcvy092613.img
On to flashing Recovery:
dd if=/tmp/rcvy092613.img of=SOS
Now wait at least a full minute in case there is any internal flushing still taking place. And to finish up:
sync
reboot recovery
Aye....never enough time to tinker it seems, especially with getting over this flu.
At this point I have my own compiled code splitting the boot image file, as well as counting the power button clicks.
I want to see if I can make a welcome/instruction screen, probably by getting CWM's minui down to its core essence. From there it will hopefully just be normal integration work to achieve a new Recovery for testing.
Everyone, a new boot menu is ready for testing. Please read through the first post to see if you'd like to try it out. Apologies once again for the delay in getting this ready.
Hal9k+1 said:
Everyone, a new boot menu is ready for testing. Please read through the first post to see if you'd like to try it out. Apologies once again for the delay in getting this ready.
Click to expand...
Click to collapse
Did I read correctly that the image support multibooting?
kulve said:
Did I read correctly that the image support multibooting?
Click to expand...
Click to collapse
Hi again Kulve. It supports three Android boot images - the main + two alternates: kernel.img, kernelA1.img, & kernelA2.img. It prefers to see the selected image in /sdcard, but will shift to /system as needed.
So, it is multi-booting, but you should keep in mind that there is still only the single /system partition. So installing two normal ROMs together probably won't work out, due to that common storage area. However, one of the ROMs could be based out of /system, while any others could use some form of external/networked storage. Note that the Android image format contains both the kernel and the initial ramdisk, so I feel that a multi-boot arrangement could be done.
Hal9k+1 said:
Hi again Kulve. It supports three Android boot images - the main + two alternates: kernel.img, kernelA1.img, & kernelA2.img. It prefers to see the selected image in /sdcard, but will shift to /system as needed.
So, it is multi-booting, but you should keep in mind that there is still only the single /system partition. So installing two normal ROMs together probably won't work out, due to that common storage area. However, one of the ROMs could be based out of /system, while any others could use some form of external/networked storage. Note that the Android image format contains both the kernel and the initial ramdisk, so I feel that a multi-boot arrangement could be done.
Click to expand...
Click to collapse
My kernel is hard coded to mount the Debian (or whatever) rootfs from /dev/sdaX so Ouya's internal partitioning doesn't matter. It would be really cool to be able to put kernelA1.im to /sdcard, an USB flash drive to the USB port and boot to Debian without tinkering with adb/fastboot/etc. on a PC.
I'm not currently using any initrd-images but adding something simple should be straightforward.

[R&D]Android 4.4.4

Hi Folks
I've been working on porting Android 4.4.4 ( CM11 ) to the RaspberryPI .
Using the androidarmv6 project as I base I've created a device tree and made the modification required to get the thing built and booting into a console on the PI the thing that is currently missing is the Graphics Stack implementation which includes the Gralloc, HWComposer and OpenGLES libraries.
If you have an experience/knowledge of how the Android Graphics Stack works especially wrt Surfaceflinger internals how to Implement OpenGLES at the platform level or any of that fun stuff and also have a RaspberryPI to hand then feel free to start hacking on this.
To get started follow the README @ https://github.com/trevd/android_vendor_broadcom_rpi .
Just to be clear. This is not so much a call for help as it is an invitation to anyone who fancies the challenge as I'm pro-actively working on the Graphics stuff myself. I'm coming at this one cold however as upto until 6 weeks ago I had never done any Graphics driver development. I figured this a great opportunity to learn.
DEVELOPERS
If like me you have no experience with Graphics but want to have a go anyway then again feel free. I'll happily answer questions wrt to specifics of the development. I'll caution however that this involves a fair bit of research and the learning curve is fairly steep (IMHO). If you have no experience porting android to devices and thing like debugging device bring-up over adb then this is definitely not the place to start.
OTHER INTERESTED PARTIES
This is going to sound harsh to some folks but here goes. I'd really like to manage expectations by saying expect nothing! I will also report and have removed any non development related posts, Even nice ones! If you feel compelled to offer some encouragement just click the thanks button. It really should also go without saying but for the love of <insert favourite deity> Don't ask for an ETA.
CREDITS
My work is definitely standing on the shoulders of giants here and this wouldn't even be a thing without the fine work of the androidarmv6 project and their efforts to keep Android alive on older hardware. Also the Razdroid folks who prior work in this area has been extremely useful.
Obviously CM, Google et al and lets not forget those 1000's of linux kernel developers too.
I hope this project will come alive, cause I want any form of working Android on my Raspberry, but couldn't get an answer...
Android on that little machine would be great!
Hello everyone,
Thread cleaned.
As you all may or may not know, things had gotten off-topic on this thread. Usually it takes quite a bit of time for that to happen but somehow it began almost out of the gate.
Tempers were getting hot about whether Android is Linux or not. I'm not sure why this debate was going on but it doesn't belong here. Please stick to the topic as it pertains to this thread.
Also, please show one another a little respect. Just because you may have a difference of opinion, there's no need to start insulting one another by name-calling.
Regards
What's new?
I have read that on this site http://www.mesa3d.org/relnotes/10.3.html new gpu drives for the raspberry pi are
V 10.3 is the First one
But i am not sure
Little Bit of an update
Hi Folks OP! here.
Bit of an update. https://www.youtube.com/watch?v=GO10mkZWeA8 ....
This basically shows the PI booting to the Launcher then the whole thing goes a bit mental and fails somewhere around a dequeuing buffer attempt.
A Couple of Technical Details
This is booting without the HWComposer library ( apparently that's a thing ) big thanks @psyke83 on the armv6 who pointed me in the right direction.
The Gralloc in it's current state is pretty standard and I'm trying to get my head wrapped around how the RaspberryPI dispmanx tie's in without allocating and lock graphics buffers. There seems to be at least 3 ways of accessing the Graphics Memory via various kernel drivers.
I added blanking support to the raspberrypi kernel framebuffer driver , which was absent. I did this upstream as I'm too lazy to maintain a separate patch set This seems to have prompted ( who I think ) is the RPi kernel maintainer to extended the Videocore closed source graphics firmware to enabled HDMI power down and also add the FB_WAITFORVYNC which is something Android makes use of in many HWComposer implementations.
As we are using a close to mainline kernel which means we're not constrained to compatibility hacks wrt to the surfaceflinger service layer. at the moment that is about has much as I know. Currently the AOSP Display Stack is a moving target and there's discussions going on with regard to Dma-buf fences vs Android sync driver. https://www.youtube.com/watch?v=rhNRItGn4-M&list=UUIxsmRWj3-795FMlrsikd3A .
As you may gather there's alot of information to soak up ....
Meanwhile over at the RPI Foundation. Fromer Intel GPU driver development Eric Anholt has been working on making a kernel driver for the videocore. http://www.phoronix.com/scan.php?page=news_item&px=MTc3NjQ . I initially thought we could maybe use the A KMS Hwcomposer, Mesa GLES implementation and a DRM ( Display Render Manager ) based gralloc. All these are things today and would just have to be extended to support the vc4 implementation. Eric was working with Mesa as part of his implementation which would leave the gralloc which is available in the android-x86 and libdrm .... libdrm looked like a tricky proposition for someone with my skills and Eric said he had no ( concrete ) plans to do libdrm . However looking at his current codebase I noticed that the videocore driver now supports dma_buf. Arm have made their Mali Gralloc opensource this also supports the use dma_buf and the nature of the beast is to provide a Generic way of accessing the Graphics buffer access many GPU's ( I think ) .
The Current Plan
=============
Merge the vc4 GPU kernel changes into my kernel branch
Port the Mali Gralloc to handle any difference between mali and vc4 ioctl etc
?????
?????
?????
?????
?????
Potentially Profit!
Thanks
trevd
trevd,
As a temporary measure, you could try to disable the opengl renderer by setting USE_OPENGL_RENDERER := false. That may allow you to boot into the home app and do some further debugging. With hwui and hwcomposer both disabled, the UI will be very slow, but it has a better chance of working if your problem is specifically due to an incompatibility with the EGL drivers.
Have you tried running with the full brcm_usrlib driver? As far as I can see, there have been successful cases in which the driver was demonstrated to run on RPi (though not specifically on Android). See here: http://www.raspberrypi.org/quake-iii-bounty-we-have-a-winner/
You mentioned an error with dequeueing buffers; you may have the same issue that I had with the original brcm_usrlib source that was solved by this commit.
BTW, I'd appreciate if you could post a logcat captured during boot (failing or otherwise). I'm curious...
Android Wear on Raspberry Pi?
Hi there!
Nice project. Is there any existing solution to run Android Wear on Raspberry Pi? A prototypical port would be sufficient for my case.
Many thanks in advance!
psyke83 said:
trevd,
As a temporary measure, you could try to disable the opengl renderer by setting USE_OPENGL_RENDERER := false. That may allow you to boot into the home app and do some further debugging. With hwui and hwcomposer both disabled, the UI will be very slow, but it has a better chance of working if your problem is specifically due to an incompatibility with the EGL drivers.
Have you tried running with the full brcm_usrlib driver? As far as I can see, there have been successful cases in which the driver was demonstrated to run on RPi (though not specifically on Android). See here: http://www.raspberrypi.org/quake-iii-bounty-we-have-a-winner/
You mentioned an error with dequeueing buffers; you may have the same issue that I had with the original brcm_usrlib source that was solved by this commit.
BTW, I'd appreciate if you could post a logcat captured during boot (failing or otherwise). I'm curious...
Click to expand...
Click to collapse
@psyke83 Thanks for the tip .wrt USE_OPENGL_RENDERER . It's a good idea but not where I'm at in the process . I know what I need to do it's just a case of doing it lol , i've been lazy the last few weeks and sometimes time is a great leveller in these things . There's smarter people than me doing work in the same area which is presenting some interesting options as I noted .
I did see your dequeue and wait patch and have I think it's something I need to do ... Am I correct in thinking that this is the same as what later Android Graphics Stack implementations are doing in the way sync fencing?
Tbh It was the original broadcom source release that got me going on this and I was quite excited to see the PI "Port" ... After some investigation I thought using that approach was way beyond my level of understanding , Put simply I didn't have the skills or knowledge or the patience to even attempt implementing it ..... That was 6ish months ago ( I think ) so revisiting it is also an options ... again time is the leveller and smarter people ( you and the armv6 team in this case ) have done alot of the hard work and my knowledge is dramatically increased in the area of porting missing Broadcom functionality into the RPI Kernel
The PI's kernel is also virtually mainline which presents more options still as the current state of the art on the Android Graphics Stack is to use the Atomic Display Framework and the AOSP has libraries to work with that [ https://android.googlesource.com/platform/system/core/+/master/adf ] . As a test/hack I compiled/backported the AOSP master surfaceflinger hwui to the androidarmv6 code base so that is ultimately where I'd like to go with this madness ..
I think It's going to be a mix of everything , the full broadcom EGL/GLES library with a dma_buf based gralloc and hwcomposer to suit .
I'd say I've got an embarrassment of riches atm .
Ahh the curious mind of the developer , lol . You know where curiosity gets you? Reading logcats of devices you don't have access to for entertainment on a saturday night but yeah I'll drop a logcat etc when I next power the thing up ... :good:
@Verses There's no Android Anything on the PI and without wanting too sound harsh. If you want it , you have to build it.
If you want to do something with Android Wear today than the PI isn't the device you need. There's better, more powerful SBC's available for not much additional cost. Also there's really no sane reason the latest versions of Android should run on the PI the CPU is legacy by 2 generations the available source code made no provision for Android what so ever and the RPI Foundation decided that Android was not an OS that fulfilled their primary mission of improving (real) computer literacy in the British yoof! But I really like Android and had a spare PI and making the latest version of Android work on "weird" machines is sort of how I get my kicks, hence this!
trevd said:
@psyke83 Thanks for the tip .wrt USE_OPENGL_RENDERER . It's a good idea but not where I'm at in the process . I know what I need to do it's just a case of doing it lol , i've been lazy the last few weeks and sometimes time is a great leveller in these things . There's smarter people than me doing work in the same area which is presenting some interesting options as I noted .
I did see your dequeue and wait patch and have I think it's something I need to do ... Am I correct in thinking that this is the same as what later Android Graphics Stack implementations are doing in the way sync fencing?
Tbh It was the original broadcom source release that got me going on this and I was quite excited to see the PI "Port" ... After some investigation I thought using that approach was way beyond my level of understanding , Put simply I didn't have the skills or knowledge or the patience to even attempt implementing it ..... That was 6ish months ago ( I think ) so revisiting it is also an options ... again time is the leveller and smarter people ( you and the armv6 team in this case ) have done alot of the hard work and my knowledge is dramatically increased in the area of porting missing Broadcom functionality into the RPI Kernel
The PI's kernel is also virtually mainline which presents more options still as the current state of the art on the Android Graphics Stack is to use the Atomic Display Framework and the AOSP has libraries to work with that [ https://android.googlesource.com/platform/system/core/+/master/adf ] . As a test/hack I compiled/backported the AOSP master surfaceflinger hwui to the androidarmv6 code base so that is ultimately where I'd like to go with this madness ..
I think It's going to be a mix of everything , the full broadcom EGL/GLES library with a dma_buf based gralloc and hwcomposer to suit .
I'd say I've got an embarrassment of riches atm .
Ahh the curious mind of the developer , lol . You know where curiosity gets you? Reading logcats of devices you don't have access to for entertainment on a saturday night but yeah I'll drop a logcat etc when I next power the thing up ... :good:
@Verses There's no Android Anything on the PI and without wanting too sound harsh. If you want it , you have to build it.
If you want to do something with Android Wear today than the PI isn't the device you need. There's better, more powerful SBC's available for not much additional cost. Also there's really no sane reason the latest versions of Android should run on the PI the CPU is legacy by 2 generations the available source code made no provision for Android what so ever and the RPI Foundation decided that Android was not an OS that fulfilled their primary mission of improving (real) computer literacy in the British yoof! But I really like Android and had a spare PI and making the latest version of Android work on "weird" machines is sort of how I get my kicks, hence this!
Click to expand...
Click to collapse
We can't give up now
@psyke83 For your viewing pleasure lol ... This is before I've switch the Gralloc over to Arm's DMA Buf based one .
At least the kernel booted with the DMA additions . ... Anywho To Work!! I might get this done before christmas. :good:
@trevd, I'd like to know something. I already build some ROMs for different devices and the output was always a custom recovery flashable zip, some images, ramdisk, kernel etc.
My answer is: How you "flash" this on RPi?
Thanks.
GeekyDroid said:
@trevd, I'd like to know something. I already build some ROMs for different devices and the output was always a custom recovery flashable zip, some images, ramdisk, kernel etc.
My answer is: How you "flash" this on RPi?
Thanks.
Click to expand...
Click to collapse
You can take the files like Kernel and system and so on direct on the SD-card! The whole OS is on the SD by default... You don't have to flash anything! Only put the SD into your PC, copy the files on it and put the SD into to Raspberry... That's the magic... [emoji6]
ph87 said:
You can take the files like Kernel and system and so on direct on the SD-card! The whole OS is on the SD by default... You don't have to flash anything! Only put the SD into your PC, copy the files on it and put the SD into to Raspberry... That's the magic... [emoji6]
Click to expand...
Click to collapse
Well, thanks for the answer. But I was actually asking for the structure how you put it on the SD card. I guess you can't just put system folder and boot.img on the SD card. An Android device has much other folders which are in root directory. Like /proc, /dev, /config and so on. It would be interesting to know this
GeekyDroid said:
Well, thanks for the answer. But I was actually asking for the structure how you put it on the SD card. I guess you can't just put system folder and boot.img on the SD card. An Android device has much other folders which are in root directory. Like /proc, /dev, /config and so on. It would be interesting to know this
Click to expand...
Click to collapse
@GeekyDroid Hi ... Should have mentioned that I threw together an HACKING document in the vendor repo
But Basically I've gone with on an 8GB sd
Code:
Number Name Start End Size Type File system Flags
1 boot 512B 80.0MB 80.0MB primary fat16 lba
2 system 80.7MB 1000MB 920MB primary ext4
3 data 1000MB 7000MB 6000MB primary ext4
4 cache 7000MB 8000MB 999MB primary ext4
The sizes you can pick yourself boot is about 12MB at the moment. The system.img create by the build is and unsparsed ext4 image which is 512MB as specified in the device/broadcom/rpi/BoardConfig.mk . The actual system directory is ~215MB
My basic workflow for sdcard creation is to use a SDCard USB Adaptor. setup the partitions using parted and mount the boot partition. copy out/target/product/rpi/kernel out/target/product/rpi/ramdisk.img and the contents of out/target/product/rpi/bootloader to the mounted directory
then I used make_ext4 on the data and cache device nodes and then I just cat the out/target/product/rpi/kernel out/target/product/system.img to the system parted.
The hacking document explains it way better than I just have ... but I've typed it now so sod it :silly:
Obviously this method leaves gaps between the system and data partitions but for now I ain't to bothered. Recovery does work and there's a switch you can pass to the raspberry reboot which "tells" it to boot recovery ... i believe that's how their ( RPI Official ) noobs installer and like works. I've not got round to creating a updater-script for it yet
Once the system.img is "flashed" onto the sdcard and because of the nature of the task then you don't really need to create another one, I give mine a refresh every now and again just because I've been at it a couple of months now.
Once the PI is Booted as there is no OTG it brings up eth0 and runs netcfg eth0 dhcp as a late_start service and prints the ip address to the console. In my case the PI is connected to my home network so I then use adb over tcp for debugging fun! .. The bootanimation gets in the way of the printip now .. I should fix that .. obviously you can use a static one or whatever you like** The aforementioned services are specified in device/broadcom/rpi/init.bcm2708.rc
You can use mmp from within source directories to make and push whatever module your working on then adb restart to "hot restart" the framework.
you can also quickly replace the ramdisk.img kernel config.txt which has the resolution and kernel command line args by mounting using adb to mount /dev/block/mmcblk0p1 somewhere and just dropping in your replacements and rebooting .... saves constant pulling of the sdcard ; I read in various places that the sdcard slot isn't so robust but that's what you get for £30!
Hopefully that makes a little bit of sense ... I've only just picked the PI development backup after a month "off" ... I'm still a bit confused about GPU/GFX development in general and the fact that there's at least 3 maybe even 5 ways of allocating/locking/mapping the gpu memory and whether it even has to be mapped or whether "we" can just smash it using DMA isn't aiding in my rapid understanding of it .... I'll get there though.
Thanks
trevd
** I think eric anholt who is working on the vc4 drm/kms drivers and actually knows what he's doing wrt all the gfx fun is booting over NFS so is always an option see : http://anholt.livejournal.com/ for that work
trevd said:
@GeekyDroid Hi ... Should have mentioned that I threw together an HACKING document in the vendor repo
But Basically I've gone with on an 8GB sd
Code:
Number Name Start End Size Type File system Flags
1 boot 512B 80.0MB 80.0MB primary fat16 lba
2 system 80.7MB 1000MB 920MB primary ext4
3 data 1000MB 7000MB 6000MB primary ext4
4 cache 7000MB 8000MB 999MB primary ext4
The sizes you can pick yourself boot is about 12MB at the moment. The system.img create by the build is and unsparsed ext4 image which is 512MB as specified in the device/broadcom/rpi/BoardConfig.mk . The actual system directory is ~215MB
My basic workflow for sdcard creation is to use a SDCard USB Adaptor. setup the partitions using parted and mount the boot partition. copy out/target/product/rpi/kernel out/target/product/rpi/ramdisk.img and the contents of out/target/product/rpi/bootloader to the mounted directory
then I used make_ext4 on the data and cache device nodes and then I just cat the out/target/product/rpi/kernel out/target/product/system.img to the system parted.
The hacking document explains it way better than I just have ... but I've typed it now so sod it :silly:
Obviously this method leaves gaps between the system and data partitions but for now I ain't to bothered. Recovery does work and there's a switch you can pass to the raspberry reboot which "tells" it to boot recovery ... i believe that's how their ( RPI Official ) noobs installer and like works. I've not got round to creating a updater-script for it yet
Once the system.img is "flashed" onto the sdcard and because of the nature of the task then you don't really need to create another one, I give mine a refresh every now and again just because I've been at it a couple of months now.
Once the PI is Booted as there is no OTG it brings up eth0 and runs netcfg eth0 dhcp as a late_start service and prints the ip address to the console. In my case the PI is connected to my home network so I then use adb over tcp for debugging fun! .. The bootanimation gets in the way of the printip now .. I should fix that .. obviously you can use a static one or whatever you like** The aforementioned services are specified in device/broadcom/rpi/init.bcm2708.rc
You can use mmp from within source directories to make and push whatever module your working on then adb restart to "hot restart" the framework.
you can also quickly replace the ramdisk.img kernel config.txt which has the resolution and kernel command line args by mounting using adb to mount /dev/block/mmcblk0p1 somewhere and just dropping in your replacements and rebooting .... saves constant pulling of the sdcard ; I read in various places that the sdcard slot isn't so robust but that's what you get for £30!
Hopefully that makes a little bit of sense ... I've only just picked the PI development backup after a month "off" ... I'm still a bit confused about GPU/GFX development in general and the fact that there's at least 3 maybe even 5 ways of allocating/locking/mapping the gpu memory and whether it even has to be mapped or whether "we" can just smash it using DMA isn't aiding in my rapid understanding of it .... I'll get there though.
Thanks
trevd
** I think eric anholt who is working on the vc4 drm/kms drivers and actually knows what he's doing wrt all the gfx fun is booting over NFS so is always an option see : http://anholt.livejournal.com/ for that work
Click to expand...
Click to collapse
Thanks you so much for explaining it to me! It really makes sense now for me! Thanks for doing this project I really appreaciate it, that someone works on it! :victory:
I'm not a developer neither a pro, I just now some source building, however I'd like to help you. But as I said I can't, because of the lack of the knowledge. Anyways keep going and all the best! :good:
With the new quad core raspberry pi that just came out, would this port work with it?
Chrisw_2003 said:
With the new quad core raspberry pi that just came out, would this port work with it?
Click to expand...
Click to collapse
With the work that eric anholt has done on the videocore mesa kms driver ... someone just needs to write a simple pass through gralloc ( in theory ) This port doesn't need to work on it as you'll be able to compile the AOSP master branch without too much trouble.
@trevd I think that you should not use Mesa, but trying every AndroidARMv6 fix instead. (until the DRM driver is merged in the raspberrypi/linux tree as Anholt's tree DOES NOT support the Pi2B)
That dequeue patch is a good thing to try.(it fixed that particular error on another device)
Currently your tree DOES NOT build, it stalls at repo sync:
Code:
21 689k 21 151k 0 0 12202 0 0:00:57 0:00:12 0:00:45 21103Fetching project CyanogenMod/android_bootable_recovery-cm
23 689k 23 164k 0 0 12273 0 0:00:57 0:00:13 0:00:44 23933error: Cannot fetch trevd/android_external_busybox
Fetching project CyanogenMod/android_external_grub
100 689k 100 689k 0 0 12014 0 0:00:58 0:00:58 --:--:-- 17929
Fetching projects: 67% (313/467)
Is anyone still working on this for the gfx port?

Yoga Tablet 2 Pro, how do we enter BIOS and/or disable secure boot.

I've been trying different ways of entering bios and/or disabling secure boot, but can't figure out exactly if it has a BIOS menu at all.
Connected a keyboard to it and tries different keys during boot but I can't find the right combination.
Does anyone know how to enter the BIOS menu, or how do we go about disabling secure boot?
Thank you,
cocacola2015 said:
I've been trying different ways of entering bios and/or disabling secure boot, but can't figure out exactly if it has a BIOS menu at all.
Connected a keyboard to it and tries different keys during boot but I can't find the right combination.
Does anyone know how to enter the BIOS menu, or how do we go about disabling secure boot?
Thank you,
Click to expand...
Click to collapse
Keyboard is disabled(no driver installed, thanks Lenovo). Bios is usless.
From my LG-G4, Rooted running Stock 5.1
I was afraid that this would be the case. There seems to be no way to circumvent it either to boot a linux kernel.
http ://i.imgur.com/Tfd9U3i.jpg
Am I right to assume that the only thing we have that are signed are the stock Lenovo Yoga kernels, making them the only thing we can boot?
Also, does anyone know if these are the Microsoft keys, or some Lenovo keys, that they use for secure-boot. http ://i.imgur.com/dm1i16B.jpg
I'm wondering, because linux grub distributions do have a signed grub "shim" with the Microsoft key, maybe making us able to execute that at boot.
Ok, I've found out that it does have the microsoft keys, among other keys, which means it should in theory be possible, in theory. Will be looking into this more.
cocacola2015 said:
I was afraid that this would be the case. There seems to be no way to circumvent it either to boot a linux kernel.
http ://i.imgur.com/Tfd9U3i.jpg
Am I right to assume that the only thing we have that are signed are the stock Lenovo Yoga kernels, making them the only thing we can boot?
Also, does anyone know if these are the Microsoft keys, or some Lenovo keys, that they use for secure-boot. http ://i.imgur.com/dm1i16B.jpg
I'm wondering, because linux grub distributions do have a signed grub "shim" with the Microsoft key, maybe making us able to execute that at boot.
Click to expand...
Click to collapse
actually the problem is not in the unlocking but in making a working kernel for this tablet... because you see... Lenovo released the "source code" so they won't risk being sued for breaking the opensource (kernel) licenses, yet what they released is crap, broken drivers (i had to download all the source packages from all the YT2 models because they didn't even un-tarred crap and each one was 400MB and move things around and still it wont do the job as it should) they intentionally crippled the mk files, removed others, stupid and not working configs and so on... driver files missing... you get the picture and this was intentionally (not to say that this is only the kernel, not a chance to see in their source whats even more interesting: the code for the libraries, binaries etc) i am not saying it cannot be done but the amount of work it requires... hmm does it justify? in the end there are few people on this tablets and even lesser with the knowledge/available time to try and do something that will look like a custom rom
i thought at some point in making a rom but the hassle and time required don't justify it (what would i have? except that it's trendy to have a costom rom) so i for one will stay on my Android+Linux combo but who want to go further has my help
a better approach would be to build a custom rom based on the stock kernel/initramfs, this way you will start having the drivers in order and do your custom system (while no longer used in these days still it was cyanogenmod's way of making custom roms in the past) yet this one too is difficult and requires lots of work (and again for what? what's the gain?) but this one is much more acceptable than the rebuilding all previous one
the secure boot is passed (pm and you will understand) but to what end? see... the problem isn't so much in opening the door but in what you will do once inside (and i am inside that room for some time now yet no better bed than my Linux+Android combo) but feel free to continue on the road..
this is not to discourage you but to warn you about issues others (me) had on the road you're stepping now.
Thank you for the reply.
You're right, going the route of compiling whatever Lenovo has put out, is not the most streight forward option, but I disagree on not putting Linux on this tablet. This is the biggest and highest resolution tablet I've seen, and having Android on it instead of a full-blown Linux distribution, is a waste. Things like X forwarding to use it as a thin clinet, does not work well, I've tried all options. The only viable thing for using this as a thin client, is to run Linux on it, with its native input methods on the display server.
The gain is not having to pay twice as much for a Microsoft Surface tablet to install linux on, with it even being lower resolution and smaller screen.
well in this area @workdowg can give you more details as he is the one who loves X on this tab me i'm more like an Y type (aka windows gui/y) (i am happy with my openvpn and sshd) but again consider the unlocking part done and start collecting stuff for making your kernel
ionioni said:
well in this area @workdowg can give you more details as he is the one who loves X on this tab me i'm more like an Y type (aka windows gui/y) (i am happy with my openvpn and sshd) but again consider the unlocking part done and start collecting stuff for making your kernel
Click to expand...
Click to collapse
Very exciting. Need to boot a compatible kernel with the provided drivers, as you also suggested, and eventually get a full fedora distribution up and running.
Since this is an x86 tablet, no cross-compilation will be needed so it will allow for more flexibility with getting tools into initramfs to make it bootstrap systemd, and eventually run a full distribution from the system partition.
Would be very interested if workdowg can also provide some input on the issue.
cocacola2015 said:
Thank you for the reply.
You're right, going the route of compiling whatever Lenovo has put out, is not the most streight forward option, but I disagree on not putting Linux on this tablet. This is the biggest and highest resolution tablet I've seen, and having Android on it instead of a full-blown Linux distribution, is a waste. Things like X forwarding to use it as a thin clinet, does not work well, I've tried all options. The only viable thing for using this as a thin client, is to run Linux on it, with its native input methods on the display server.
The gain is not having to pay twice as much for a Microsoft Surface tablet to install linux on, with it even being lower resolution and smaller screen.
Click to expand...
Click to collapse
as short as it was yet i still read it on fast-forward
i wasn't saying to not put linux on it (i have linux on mine too) i'm saying that putting ONLY linux was not worth (for my needs) the work required for (maybe i was too subtle ) i mean even if i had a full linux distro solution for my 1380 tablet i would still go for my current Android on Linux set-up that i have. yet, each has his own needs
oh boy it's getting late
cocacola2015 said:
Very exciting. Need to boot a compatible kernel with the provided drivers, as you also suggested, and eventually get a full fedora distribution up and running.
Since this is an x86 tablet, no cross-compilation will be needed so it will allow for more flexibility with getting tools into initramfs to make it bootstrap systemd, and eventually run a full distribution from the system partition.
Would be very interested if workdowg can also provide some input on the issue.
Click to expand...
Click to collapse
ionioni said:
as short as it was yet i still read it on fast-forward
i wasn't saying to not put linux on it (i have linux on mine too) i'm saying that putting ONLY linux was not worth (for my needs) the (huge)work required for (maybe i was too subtle ) i mean even if i had a full linux distro solution for my 1380 tablet i would still go for my current Android on Linux set-up that i have. yet, each has his own needs
oh boy it's getting late
Click to expand...
Click to collapse
I purchased my tablet with intention of dual booting Linux and Android and eventually going with Linux alone (being x86 I thought this would be a piece of cake). Now after getting Linux running (with Android in a chroot).... My vision has changed. TTY Linux is great, I have so much I can get done when not home. Using Xsdl, X runs well enough ( I had wine installed to run a Windows app) and I don't think it would be all that much better on the framebuffer.
The problem ends up being.... (and it has been stated before).... Touch still sucks on a small screen! Android just excels at it. So for me, if someone were to develop kexecboot or such I would definitely play with it (proof of concept) but I'm positive I'd go right back to my current setup.... ssh and the Xsdl for X as needed are perfect.
ionioni said:
as short as it was yet i still read it on fast-forward
i wasn't saying to not put linux on it (i have linux on mine too) i'm saying that putting ONLY linux was not worth (for my needs) the work required for (maybe i was too subtle ) i mean even if i had a full linux distro solution for my 1380 tablet i would still go for my current Android on Linux set-up that i have. yet, each has his own needs
oh boy it's getting late
Click to expand...
Click to collapse
Oh I see. The highest priority for me at least, is to get any linux distribution to boot.
workdowg said:
I purchased my tablet with intention of dual booting Linux and Android and eventually going with Linux alone (being x86 I thought this would be a piece of cake). Now after getting Linux running (with Android in a chroot).... My vision has changed. TTY Linux is great, I have so much I can get done when not home. Using Xsdl, X runs well enough ( I had wine installed to run a Windows app) and I don't think it would be all that much better on the framebuffer.
The problem ends up being.... (and it has been stated before).... Touch still sucks on a small screen! Android just excels at it. So for me, if someone were to develop kexecboot or such I would definitely play with it (proof of concept) but I'm positive I'd go right back to my current setup.... ssh and the Xsdl for X as needed are perfect.
Click to expand...
Click to collapse
Touch will probably work better on the larger screens, I've got the 13inch one.
---------------
So I got the latest kernel from kernel.org to boot but I'm not sure why it doesn't find the initramfs, I assume it has to do with it not existing on a partition, but being built into the boot.img.
http://i.imgur.com/IxdwXre.jpg
I'm trying to make it boot a live OS directly from USB, without initramfs. It's a bit difficult because I don't know how the block devices are named, maybe if anyone knows the kernel command line for booting the live linux using the custom kernel, using sdhci or normal usb.
Basically, instead of the normal LiveUSB sequence:
grub from USB -> kernel from USB -> root filesystem from USB
I want
custom kernel with android boot.img -> root file system from USB/SD card
cocacola2015 said:
I want
custom kernel with android boot.img -> root file system from USB/SD card
Click to expand...
Click to collapse
there's something wrong with your boot.img, and from the image there not enogh info
link the boot.img you make
ionioni said:
there's something wrong with your boot.img, and from the image there not enogh info
link the boot.img you make
Click to expand...
Click to collapse
What's wrong is you need the root= kernel argument, and I'm not sure how the block devices are named (For example, it doesn't have /dev/block/ like on the android kernels). The initramfs isn't modified yet, it's a custom compiled kernel with the source at kernel.org.
Created a boot.img that one can add root= kernel arguments to, to test booting from other media:
https://anonfiles.com/file/177753c2344c3c64c200cdb3803236bd
It has these kernel command line arguments built into the kernel:
Code:
oops=panic panic=360 vmalloc=172M debug_locks=0 bootboost=1 vga=ask i915.modeset=0 drm.vblankoffdelay=1 selinux=0 nomodeset ro debug noinitrd
Another one with UHCI (USB2.0) driver, instead of xHCI (USB3.0), because it might not reach init sometimes otherwise when plugged in, for some reason.
https://anonfiles.com/file/d41f495d118ab1e5ccef961baeb1bcce
No command line arguments built into the kernel, all in boot.img, boot_delay= disabled
Code:
oops=panic panic=360 vmalloc=172M debug_locks=0 bootboost=1 vga=ask i915.modeset=0 drm.vblankoffdelay=1 selinux=0 nomodeset ro debug noinitrd root=/dev/mmcblk0

[DEV] LG G5 VS987 bootloader unlock

LG G5 VERIZON VS987
Unofficial bootloader unlock
In-Progress
This is a project to disassemble and rebuild an unlocked aboot that passes the sbl loader test, thus allowing installation of custom kernels, read/write access to system, TWRP recovery, and custom ROMs. You can follow the progress or ask questions about it here, or offer your help to make my life a little easier. Donations help, too, especially to maintain the machine these VMs and tools run on.
PHASE 1 - RAMDISK EXTRACTION: DONE
(Attachment 2 & 3): I have extracted the ramdisks from the KDZ bin data. I have the ramdisks and accompneying kernel files in tar files.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
PHASE 2 - TARGET DISASSEMBLY: DONE
(Attachment 1): I have disassembled the ELF binaries. objdump is sloppy, but I was able to get to the branch instructions and find my offsets for each subroutine. I also located the factory signature data for verification by sbl.
PHASE 3 - CERTIFICATE EXTRACTION: IN-PROGRESS
Extracting and parsing the PCS data. It's needed for verification by the sbl to avoid security fail when booting a modified aboot.
PHASE 4 - UNLOCKING NEEDS DONE
Re-coding aboot to accept a bootloader unlock, and access to fastboot.
PHASE 5 - RECOMPILATION AND TESTING (ABOOT)NEEDS DONE
Re-building the aboot binary and testing it.
PHASE 5 - LITTLEKERNEL AND SYSTEM ACCESS (BOOT)NEEDS DONE
Puling apart stock kernel, grabbing needed modules, disabling SELinux and dmverify.
Analysing system image, removing boot-time LG security checks, applying root.
PHASE 6 - TWRP BUILD (RECOVERY) NEEDS DONE
Building user-friendly recovery image.
PHASE 7 - BUILD TOT FILE NEEDS DONE
Package it all into an LGUp Flashable TOT and release.
If you would like to help with this project, please make yourself known.
If you would like to donate to show thanks, the button is underneath my name or in my profile.
If you have a comment or can leave documentation or advice, do so below ​
Nice.. Hoping for the best
LupineDream said:
LG G5 VERIZON VS987
Unofficial bootloader unlock
In-Progress
This is a project to disassemble and rebuild an unlocked aboot that passes the sbl loader test, thus allowing installation of custom kernels, read/write access to system, TWRP recovery, and custom ROMs. You can follow the progress or ask questions about it here, or offer your help to make my life a little easier. Donations help, too, especially to maintain the machine these VMs and tools run on.
PHASE 1 - RAMDISK EXTRACTION: DONE
(Attachment 2 & 3): I have extracted the ramdisks from the KDZ bin data. I have the ramdisks and accompneying kernel files in tar files.
View attachment 4016279
View attachment 4016280
PHASE 2 - TARGET DISASSEMBLY: DONE
(Attachment 1): I have disassembled the ELF binaries. objdump is sloppy, but I was able to get to the branch instructions and find my offsets for each subroutine. I also located the factory signature data for verification by sbl.
View attachment 4016278
PHASE 3 - CERTIFICATE EXTRACTION: IN-PROGRESS
Extracting and parsing the PCS data. It's needed for verification by the sbl to avoid security fail when booting a modified aboot.
PHASE 4 - UNLOCKING NEEDS DONE
Re-coding aboot to accept a bootloader unlock, and access to fastboot.
PHASE 5 - RECOMPILATION AND TESTING (ABOOT)NEEDS DONE
Re-building the aboot binary and testing it.
PHASE 5 - LITTLEKERNEL AND SYSTEM ACCESS (BOOT)NEEDS DONE
Puling apart stock kernel, grabbing needed modules, disabling SELinux and dmverify.
Analysing system image, removing boot-time LG security checks, applying root.
PHASE 6 - TWRP BUILD (RECOVERY) NEEDS DONE
Building user-friendly recovery image.
PHASE 7 - BUILD TOT FILE NEEDS DONE
Package it all into an LGUp Flashable TOT and release.
If you would like to help with this project, please make yourself known.
If you would like to donate to show thanks, the button is underneath my name or in my profile.
If you have a comment or can leave documentation or advice, do so below ​
Click to expand...
Click to collapse
Nice to know there is people working on an unofficial bootloader unlock for the lg g5 good job !
I would also like to ask a question if you don't mind : once done, does this variant of the g5 is similar enough to some variants to be able to "port" the unlock or the approach is too specific to the variant ?
Im currently grabbing a more android build-friendly release of Xenial. Google does not support building from a x86 OS. When I tried to git the "official" google toolchain in consideration of doing things 100% correct in a VM, I ran into the dreaded "x86 build host unsupported" problem. The VM host I am grabbing is here: https://forum.xda-developers.com/chef-central/android/guide-how-to-setup-ubuntu-16-04-lts-t3363669 I am going to need the google build source for the kernel, plus the makefiles for the generic arm v7a neon arcitecture. Best do it all the right way instead of having to re-do it all later.
In the meantime, I am cramming some thumb-2 tutorials. La la la~
nalf3in said:
Nice to know there is people working on an unofficial bootloader unlock for the lg g5 good job !
I would also like to ask a question if you don't mind : once done, does this variant of the g5 is similar enough to some variants to be able to "port" the unlock or the approach is too specific to the variant ?
Click to expand...
Click to collapse
I'd have to check the aboot and boot / kernel to see if there's any major differences. Since this is a direct aboot disassembly, it's varient specific, but I will surely be checking if the approach can be applied to different varients' booters via scripting or some such thing. It would mean coding of a patchfile and a TOT builder, adding an entire extra level of complexity, but I'll get to your answer as soon as I have finished with this model.
Howdy there,
Looks like you're attempting to modify an element in the Qualcomm Secure Boot chain (aboot in this case) - unfortunately what you're trying to do won't work.
I don't want to rain on your parade here, or discourage you from learning something for the sake of learning it but simply modifying a component of the boot stack by recompiling it and slapping the same signatures on it isn't possible.
I'd recommend you take a look at any of the awesome posts on XDA about how the Secure Boot 3 (is there a newer version?) process works as you'll see that each step in the boot process (pbl -> xbl -> {tz, rpm} -> aboot) is verified using RSA public/private key signatures.
You won't be able to simply extract the certificate chain from the old aboot (LK) image and append it to your source-built LK, as the hash embedded in the certificate chain won't match the computed hash of the LK application.
Your next thought would be "what if I could find where the validation function is called and replace it?", but you'll find that each step in the boot process calls TrustZone's secureboot verification functions which rely on data stored in qFuses.
Even then, the function TrustZone itself calls is actually provided by PBL and is burned into the chip itself.
Essentially, the path you're trying to take is one that Qualcomm has thoroughly hardened the boot process to protect against.
I'm not trying to discourage you from learning, since doing this sort of reverse engineering is very fascinating and a fun learning exercise - I just want to let you know that if you try to flash a modified aboot image that you'll end up with a brick (and no way that I'm aware of to recover short of soldering up some UFS lines and reflashing like that since iirc even JTAG is disabled now and we lack signed programmers for USB recovery).
Check out one of the Secure Boot PDFs that are available on Google/XDA and you should see what I mean.
Best of luck to you, and happy learning!
LupineDream said:
(Attachment 2 & 3): I have extracted the ramdisks from the KDZ bin data. I have the ramdisks and accompneying kernel files in tar files.
View attachment 4016279
View attachment 4016280
PHASE 2 - TARGET DISASSEMBLY: DONE
(Attachment 1): I have disassembled the ELF binaries. objdump is sloppy, but I was able to get to the branch instructions and find my offsets for each subroutine. I also located the factory signature data for verification by sbl.
View attachment 4016278
Click to expand...
Click to collapse
Like thecubed said, by flashing a modified aboot you'll brick the device, but the fact that you figured out how to extract the aboot image is EXTREMELY impressive! If you wouldn't mind it would be very helpful if you make a guide on how you did that or if you could post your extracted aboot files that would be much much appreciated An insight on how aboot for the G5 works would be something very nice to have
thecubed said:
Howdy there,
Looks like you're attempting to modify an element in the Qualcomm Secure Boot chain (aboot in this case) - unfortunately what you're trying to do won't work.
I don't want to rain on your parade here, or discourage you from learning something for the sake of learning it but simply modifying a component of the boot stack by recompiling it and slapping the same signatures on it isn't possible.
...
[ removed in quote ]
...
Best of luck to you, and happy learning!
Click to expand...
Click to collapse
Thank you for the inspiration. The task has been a thorough crash-course in arm v7a NEON Cortex technology and thumb-2 assembler. I was concerned when I saw the TrustZone documentation from ARM and the ACEP (Arbitrary Code Execution Prevention) stack. Your mention of qfuse brings back memories of the Samsung "Golden Routines" folly.
Unfortunetly I wasn't a backer of the Raspberry PI, but there are other PCBs with GPIO pins. My reason for mention this is the JTAG connundrum you mentioned. It is null and void to a soldering gun, a few resisters ($2-$3, and the on-chip ARM debugging interface included in most integrated ARM chipsets. PCBs that run Linux with a GPIO pin array are the cheapest and most flexable solution to an expensive piece of lab / R & D equipment (JTAG), and the impact on the bank account is a fraction of what it would cost the end-consumer.
Hash collisions and backprop neural nets. What? OK, I'll explain. Most reverse engineering begins with monitoring the usual operation of the device as you are aware. Approach 1 involves training a backpropping neural network to recognize (within a reasonably less amount of computation) a hash collision. Of course, you aren't going to be getting to these pre-coded hashes without breaking the RSA chain (thats 100 zeros O__O ) , this is fixed by monitoring the debug interface we both mentioned earlier, at power-on. ARM processors work such that they cannot do DMAC (direct memory access computation), so the values need to be pushed into registers and acted on as plain byte, then pushed back to memory. Sniff, find out what's coming to/from the qfuse memory bus area into registers, dump the data, and you'll have your root CA with luck. You'll be looking for the in operand, that is, the one that is to be acted on in the cipher that is incoming from qfuse. Cycle-timing to ignore the rest of the computations for this byte, you're basically waiting until qfuse pushes the next byte of its keys into a register and grabbing it in the same cycle the instruction is working on it.
That said, with a $100 and a soldering gun and a laptop, you have your RSA key direct from CPU memory via the debug interface. After you've got your root CA, would it be feasable to start decrypting the intermediate CA chain for each component of boot until you get the hash? In theory this should work without brute-force, but a lot of time in a code window and with an oscilliscope. Once you've had the decrypted hash, you can begin to look for a hash collision. There are open source tools that will find hash collisions in an hour or less using neural nets. Write an aboot that complies to this hash collision, flash it, and qfuse will not be able to tell the difference.
Thats my theory on exploiting the fact ARM needs to do its computations in an area that is accessable to the debug interface. Of course my theory falls apart if the TrustZone chipset has its own processor.
Honestly Annoying said:
Like thecubed said, by flashing a modified aboot you'll brick the device, but the fact that you figured out how to extract the aboot image is EXTREMELY impressive! If you wouldn't mind it would be very helpful if you make a guide on how you did that or if you could post your extracted aboot files that would be much much appreciated An insight on how aboot for the G5 works would be something very nice to have
Click to expand...
Click to collapse
I'd be okay with writing such guide as long as it followed community guidelines. I should not be posting disassembled code and analysis if it's against the rules to do so. If a mod could clear this for me....
After searching around I located the true specs for the G5. It's a Snapdragon 820 SoC. It runs the new ARM v8A instruction set.
More detailed information here -> http://www.tomshardware.com/reviews/snapdragon-820-performance-preview,4389-2.html.
More specifically, it's on the msm8996 platform: http://system-on-a-chip.specout.com/l/1170/Qualcomm-Snapdragon-820-MSM8996
Phones with this arcitechture: https://www.kimovil.com/en/list-smartphones-by-processor/qualcomm-snapdragon-820-msm8996
Xiaomi Mi5 has official bootloader unlock via a tool (reverse engineer to work with our platform?)
HTC 10 bootloader on certain models can be oem-unlocked.
Lenovo ZUK Z2 bootloader can be oem-unlocked
LG V20 bootloader can be oem-unlocked, and is the closest in hardware to our G5!
Perhaps stealing a kernel and boot from a similar varient that allows it, signing it with our key, hash-matching it? It all runs on the same platform with the same instruction set. Most of these phones have unlockable bootloaders.
I'd say the best target would be that unlock tool by Xaoimi. Its usually the third party vendor's tools you can find the biggest security holes in. xD From their documentation, it isn't an "enable OEM unlock" switch in Developer Options used to enable the unlock, the tool itself actually works on the bootloader. Perhaps the tool uses a feature of the MSM8996 we aren't aware of. It's worth looking into.
LupineDream said:
Thank you for the inspiration. The task has been a thorough crash-course in arm v7a NEON Cortex technology and thumb-2 assembler. I was concerned when I saw the TrustZone documentation from ARM and the ACEP (Arbitrary Code Execution Prevention) stack. Your mention of qfuse brings back memories of the Samsung "Golden Routines" folly.
Unfortunetly I wasn't a backer of the Raspberry PI, but there are other PCBs with GPIO pins. My reason for mention this is the JTAG connundrum you mentioned. It is null and void to a soldering gun, a few resisters ($2-$3, and the on-chip ARM debugging interface included in most integrated ARM chipsets. PCBs that run Linux with a GPIO pin array are the cheapest and most flexable solution to an expensive piece of lab / R & D equipment (JTAG), and the impact on the bank account is a fraction of what it would cost the end-consumer.
Hash collisions and backprop neural nets. What? OK, I'll explain. Most reverse engineering begins with monitoring the usual operation of the device as you are aware. Approach 1 involves training a backpropping neural network to recognize (within a reasonably less amount of computation) a hash collision. Of course, you aren't going to be getting to these pre-coded hashes without breaking the RSA chain (thats 100 zeros O__O ) , this is fixed by monitoring the debug interface we both mentioned earlier, at power-on. ARM processors work such that they cannot do DMAC (direct memory access computation), so the values need to be pushed into registers and acted on as plain byte, then pushed back to memory. Sniff, find out what's coming to/from the qfuse memory bus area into registers, dump the data, and you'll have your root CA with luck. You'll be looking for the in operand, that is, the one that is to be acted on in the cipher that is incoming from qfuse. Cycle-timing to ignore the rest of the computations for this byte, you're basically waiting until qfuse pushes the next byte of its keys into a register and grabbing it in the same cycle the instruction is working on it.
That said, with a $100 and a soldering gun and a laptop, you have your RSA key direct from CPU memory via the debug interface. After you've got your root CA, would it be feasable to start decrypting the intermediate CA chain for each component of boot until you get the hash? In theory this should work without brute-force, but a lot of time in a code window and with an oscilliscope. Once you've had the decrypted hash, you can begin to look for a hash collision. There are open source tools that will find hash collisions in an hour or less using neural nets. Write an aboot that complies to this hash collision, flash it, and qfuse will not be able to tell the difference.
Thats my theory on exploiting the fact ARM needs to do its computations in an area that is accessable to the debug interface. Of course my theory falls apart if the TrustZone chipset has its own processor.
I'd be okay with writing such guide as long as it followed community guidelines. I should not be posting disassembled code and analysis if it's against the rules to do so. If a mod could clear this for me....
Click to expand...
Click to collapse
Hello again!
Regarding your points:
JTAG is disabled on most production devices, as in 100% inoperable. No amount of soldering will enable it. I'm sure there are some exceptions to the rule, but in this case I'm fairly confident in saying that the JTAG interface on the G5 is unusable.
...even if JTAG was enabled, the Qualcomm Secure Boot stack is designed to protect itself from the exact type of attack you're describing here. The component of TrustZone that is doing the verification of boot images is not running in anything that is JTAG-accessible, and to my understanding it's not even running in the main ARM core.
Re: hash collisions and neural nets... What you're describing sounds neat in theory, but in application (again, to my knowledge) won't work. I suggest you read up on how RSA works.
RSA is public/private key cryptography - in this case, the certificates contained on the phone are the public component, and LG/Qualcomm are the only ones with the private component. "Extracting the CA" will yield the public portion that is only useful for verifying signatures, not signing them.
The only way you'd be able to sign anything and have the phone trust it is to either a) replace the CA on the phone (not possible, it's burned into qFuses) or b) obtain the private component of the CA or any of it's subsidiaries (also burned into qFuses)
CA chains aren't encrypted, they're just a list of things that the device will accept a signature for. In our case it's Qualcomm as the Root CA, then LG as an intermediate (and possibly a few other intermediates to allow OTA updates to come from differing builders/engineering teams within LG). Again, extracting the 'hash' of a CA will do no good here, as there's no meaningful collisions that can be generated and still be a valid boot image. I'm not the best person to explain RSA in depth, so I'd really recommend doing some further research on it.
LupineDream said:
After searching around I located the true specs for the G5. It's a Snapdragon 820 SoC. It runs the new ARM v8A instruction set.
More detailed information here -> http://www.tomshardware.com/reviews/snapdragon-820-performance-preview,4389-2.html.
More specifically, it's on the msm8996 platform: http://system-on-a-chip.specout.com/l/1170/Qualcomm-Snapdragon-820-MSM8996
Phones with this arcitechture: https://www.kimovil.com/en/list-smartphones-by-processor/qualcomm-snapdragon-820-msm8996
Xiaomi Mi5 has official bootloader unlock via a tool (reverse engineer to work with our platform?)
HTC 10 bootloader on certain models can be oem-unlocked.
Lenovo ZUK Z2 bootloader can be oem-unlocked
LG V20 bootloader can be oem-unlocked, and is the closest in hardware to our G5!
Perhaps stealing a kernel and boot from a similar varient that allows it, signing it with our key, hash-matching it? It all runs on the same platform with the same instruction set. Most of these phones have unlockable bootloaders.
I'd say the best target would be that unlock tool by Xaoimi. Its usually the third party vendor's tools you can find the biggest security holes in. xD From their documentation, it isn't an "enable OEM unlock" switch in Developer Options used to enable the unlock, the tool itself actually works on the bootloader. Perhaps the tool uses a feature of the MSM8996 we aren't aware of. It's worth looking into.
Click to expand...
Click to collapse
Bootloaders for other phones will not work on our phone, as of course it'll fail the Secure Boot check.
Bootloader unlock tools for other phones will not work because they're relying on manufacturer specific unlock code that's compiled into aboot (LK). Qualcomm's CAF version of LK doesn't include any unlock code checking functionality, so most manufacturers add that themselves.
LG, in this case, is not even including the code for a bootloader unlock in the US model bootloaders. If you're familiar with C, essentially LG has `#ifdef`'d the entire section of code out (including fastboot).
The V20 bootloader does indeed contain oem-unlock code, but Secure Boot will prevent you from flashing the V20's bootloader (even if it magically was code-compatible with the G5) because Secure Boot checks the hardware ID that's burned into qFuses.
This means, to add a bootloader unlock, you'd have to modify aboot, which can't be done because of Secure Boot. Secure Boot components can't be modified because of RSA, and the RSA verification can't be altered because the keys are burned into qFuses.
thecubed said:
Hello again!
Regarding your points:
JTAG is disabled on most production devices, as in 100% inoperable. No amount of soldering will enable it. I'm sure there are some exceptions to the rule, but in this case I'm fairly confident in saying that the JTAG interface on the G5 is unusable.
...even if JTAG was enabled, the Qualcomm Secure Boot stack is designed to protect itself from the exact type of attack you're describing here. The component of TrustZone that is doing the verification of boot images is not running in anything that is JTAG-accessible, and to my understanding it's not even running in the main ARM core.
Re: hash collisions and neural nets... What you're describing sounds neat in theory, but in application (again, to my knowledge) won't work. I suggest you read up on how RSA works.
RSA is public/private key cryptography - in this case, the certificates contained on the phone are the public component, and LG/Qualcomm are the only ones with the private component. "Extracting the CA" will yield the public portion that is only useful for verifying signatures, not signing them.
The only way you'd be able to sign anything and have the phone trust it is to either a) replace the CA on the phone (not possible, it's burned into qFuses) or b) obtain the private component of the CA or any of it's subsidiaries (also burned into qFuses)
CA chains aren't encrypted, they're just a list of things that the device will accept a signature for. In our case it's Qualcomm as the Root CA, then LG as an intermediate (and possibly a few other intermediates to allow OTA updates to come from differing builders/engineering teams within LG). Again, extracting the 'hash' of a CA will do no good here, as there's no meaningful collisions that can be generated and still be a valid boot image. I'm not the best person to explain RSA in depth, so I'd really recommend doing some further research on it.
Bootloaders for other phones will not work on our phone, as of course it'll fail the Secure Boot check.
Bootloader unlock tools for other phones will not work because they're relying on manufacturer specific unlock code that's compiled into aboot (LK). Qualcomm's CAF version of LK doesn't include any unlock code checking functionality, so most manufacturers add that themselves.
LG, in this case, is not even including the code for a bootloader unlock in the US model bootloaders. If you're familiar with C, essentially LG has `#ifdef`'d the entire section of code out (including fastboot).
The V20 bootloader does indeed contain oem-unlock code, but Secure Boot will prevent you from flashing the V20's bootloader (even if it magically was code-compatible with the G5) because Secure Boot checks the hardware ID that's burned into qFuses.
This means, to add a bootloader unlock, you'd have to modify aboot, which can't be done because of Secure Boot. Secure Boot components can't be modified because of RSA, and the RSA verification can't be altered because the keys are burned into qFuses.
Click to expand...
Click to collapse
So in this case, what would be the next image in the stack that would allow any kind of modifications? Should I be looking at boot.img instead? Would there be a method of tricking the signed and secure boot chain into believing what it sees isn't executing as root?
had been looking through some old methods of root, like causing a boot error by zeroing laf or flashing over it, causing the bootloader to drop you into fastboot, booted securely from there you could call a kcal perameter of the stock kernel that allowed a sort of debugging mode with systemwide root. That exploit was in the G2 era, and how that device obtained root.
I've seen a method that causes Knox to lock up on some Samsung devices by overloading its memory addresses or repeatedly zeroing certain bits of RAM.
I'd really need to find out what method works. If you can't make any modification, maybe there's a workaround to make it THINK everything is legit beyond the boot chain.
aboot decription
Ok I have been working on an lg g5 vs987 myself and I got to the recoding the aboot part and was totally lost its all encrypted and I have no idea where to start to even see what the code is really saying I am new to this website and I am also new to coding on android if you can guide me in the right direction I might be able to help. I have always dreamed of being a part of a development like this and now I might have a shot. Thank you so much for your work and I hope to hear from you soon!
alphawolves said:
Ok I have been working on an lg g5 vs987 myself and I got to the recoding the aboot part and was totally lost its all encrypted and I have no idea where to start to even see what the code is really saying I am new to this website and I am also new to coding on android if you can guide me in the right direction I might be able to help. I have always dreamed of being a part of a development like this and now I might have a shot. Thank you so much for your work and I hope to hear from you soon!
Click to expand...
Click to collapse
Dissembling and recoding aboot wont work no matter even if it is not encrypted..
It is already mentioned above by @thecubed ..
The secure boot will always verify the signature and dissassembly will generate no signature.
We need to find the private keys used for generating the public hash.. but that is not possible unless leaked from lg which is also very unlikely..
What a hacker can do is find a bug/vulnerability in aboot that can bypass secureboot..or a hardware loophole..
Plus there is a trustzone that itself secures the secureboot process.. so we have to find ways to exploit the bootchain so that we can somehow make the bootloader load unsigned ramdisks/recovery and such..
experienced people could do it.. but i guess there has been a lot of fuss between devs and wannabees..
Also if we can get debug build of aboot/ramdisk we can flash them to get unlock or at the very least root..
I am not expert on this but that how its simply put
A brave member sent me a very useful PDF specification on the TSF. The TSF is the official name for the portion of the integrated circuitry that controls the storage of the secure boot chain. The hardware routines are there to allow root to happen, but as stated before by @thecubed, LG commented out the entire section of a boot at compile time that allows anything to occur. Now the approach is to disassemble HOW the code that LG commented out works in the international variant that has an OEM unlock. Hardware routines exist that place the TSF into non-commercial mode, disabling functionality of certain enterprise software and deauth-ing the root CA in qfuse, allowing the user to flash their own signing certificates to the TSF (TrustZone) when a request to switch off CC mode is sent. There are all kinds of virtual memory protections, ACE protections, malicious code protections, and other things that the TSF handles. Trying any kind of unauthorised write to protected areas of memory results in blow of qfuse write fuse. It's actually a physical microscopic fuse that when pushed a specific voltage pops at a microscopic level kind of like a big fuse blowing only at a very tiny level. At this point write access anywhere is gone. This happens at the same time a full wipe of the system happens. That is why they say once qfuse blows your phone becomes a very expensive cup holder. Because after the qfuse blows there is no way of software recovery.
The only way to be able to disable commercial (CC mode) and be allowed to do anything to put your own boot chain in is to place the device in debug mode. The international varient contains code how to accomplish this, our devices don't. You would need to compile an app that runs in normal mode, causes a flag to be set that places the device into debug mode, then reboot. While in debug boot, you should be able to execute a CC unlock manually. The PDF I got says it's very specifically timed when this can happen, what parts of boot the TSF allows it to happen, and a rough explanation if what disabling CC mode means. The only way of getting root is to use the TSF-approved method but all this code is removed. The TSF does not stop you from executing code if booted into factory debug mode. The new approach I propose is to find an exploit to get into userdebug, and manually write an unlock routine with disassembled information from the international varient., pushing it directly into execution memory while in userdebug, being absolutely sure to give the TSF what it asks for, when it asks for it, at the exact timing for it.
LupineDream said:
A brave member sent me a very useful PDF specification on the TSF. The TSF is the official name for the portion of the integrated circuitry that controls the storage of the secure boot chain. The hardware routines are there to allow root to happen, but as stated before by @thecubed, LG commented out the entire section of a boot at compile time that allows anything to occur. Now the approach is to disassemble HOW the code that LG commented out works in the international variant that has an OEM unlock. Hardware routines exist that place the TSF into non-commercial mode, disabling functionality of certain enterprise software and deauth-ing the root CA in qfuse, allowing the user to flash their own signing certificates to the TSF (TrustZone) when a request to switch off CC mode is sent. There are all kinds of virtual memory protections, ACE protections, malicious code protections, and other things that the TSF handles. Trying any kind of unauthorised write to protected areas of memory results in blow of qfuse write fuse. It's actually a physical microscopic fuse that when pushed a specific voltage pops at a microscopic level kind of like a big fuse blowing only at a very tiny level. At this point write access anywhere is gone. This happens at the same time a full wipe of the system happens. That is why they say once qfuse blows your phone becomes a very expensive cup holder. Because after the qfuse blows there is no way of software recovery.
The only way to be able to disable commercial (CC mode) and be allowed to do anything to put your own boot chain in is to place the device in debug mode. The international varient contains code how to accomplish this, our devices don't. You would need to compile an app that runs in normal mode, causes a flag to be set that places the device into debug mode, then reboot. While in debug boot, you should be able to execute a CC unlock manually. The PDF I got says it's very specifically timed when this can happen, what parts of boot the TSF allows it to happen, and a rough explanation if what disabling CC mode means. The only way of getting root is to use the TSF-approved method but all this code is removed. The TSF does not stop you from executing code if booted into factory debug mode. The new approach I propose is to find an exploit to get into userdebug, and manually write an unlock routine with disassembled information from the international varient., pushing it directly into execution memory while in userdebug, being absolutely sure to give the TSF what it asks for, when it asks for it, at the exact timing for it.
Click to expand...
Click to collapse
Thanks for that post @LupineDream ! I unfortunately doesn't understand most of the things you explained but perhaps I can save you a bit of time (your last post looks like you aren't aware of that exploit but thats maybe only me misundertanding) ; as far as I know the adb root method develloped by @HonestlyAnnoying include a userdebug kernel so (afaik) we already know an exploit to get into userdebug on marshmallow(dirty santa) and the fact that the users needs to run marshmallow shouldn't matter as (afaik) once the bootloader unlocked, the userdebug kernel is no longer needed and it is possible to change it.
Edit: just saw your post on the adb root thread, so I guess you are now aware of the exploit Sorry for the post, I just wanted to be sure you didn't missed it.
nalf3in said:
Thanks for that post @LupineDream ! I unfortunately doesn't understand most of the things you explained but perhaps I can save you a bit of time (your last post looks like you aren't aware of that exploit but thats maybe only me misundertanding) ; as far as I know the adb root method develloped by @HonestlyAnnoying include a userdebug kernel so (afaik) we already know an exploit to get into userdebug on marshmallow(dirty santa) and the fact that the users needs to run marshmallow shouldn't matter as (afaik) once the bootloader unlocked, the userdebug kernel is no longer needed and it is possible to change it.
Edit: just saw your post on the adb root thread, so I guess you are now aware of the exploit Sorry for the post, I just wanted to be sure you didn't missed the exploit.
Click to expand...
Click to collapse
Yes thank you for affirming that, but not to worry, I got it. LG has an sbl module called anti-rollback that prevents flashing older software. If we look at the boot chain:
Code:
recovery
| /------------------ laf (fastboot)
__________________|__|_________________________________________ laf (security fail screen)
/ / / /
pbl -> sbl > aboot > boot (kernel/ramdisk) > system
^ ^
| |
| \-- IS_UNLOCKED and sig_Check()
Anti-rollback
I beleive anti-rollback was updated to a new version that prevents this on Nugout. Correct me if I'm wrong. I've tried every LG hidden menu code I could find to see, but can't even seem to get the hidden menu working... And the reason they did this is because of the worldwide alerts about dirtycow, which affects not only Android, but the whole of Linux, so we need a nogout kernel. A marshmallow kernel with the new anti-rollback would theoretically end up in the red triangle of death.
We need someone that has an engineering model with a userdebug kernel. LG makes you apply. Their program is called "LG GATE", and they are very picky. I think that's what helped out the Sprint community. Someone got a hold of a developer / engineering model with a marshmallow kernel.
Well, I already heard of that strange issue with the hidden menu and I always though it was a code 18 but after googling, it looks like it some carrier potentially disabled it.. Anyway, I can confirm you that the anti-rollback version is still 0 on my h831 running the latest nougat unless the hidden menu is "lying". (And most variant I know except sprint, which did triggered the counter with the update, stayed at their rollback version). I still encounter the same issues most people on nougat experienced with the adb root (wasn't able to get past reboot and needed to flash with uppercut a fresh 7.0 ) so I guess the issue is somewhere else.
Also, if you need any information that is on the hidden menu, feel free to ask me
http://m.imgur.com/gallery/fTwgSUF
Very exciting, gl
finally they are working on it
What about this line in the aboot.bin
(from canadian aboot)
LOAD:0F960100 aBootVerificati DCB " : boot verification skip ",0xA,0
Is there any way to disable boot verification? no need to go with full bootloader unlock.. if it's possible to just disable boot verification, right?

Categories

Resources