1. Download our Official Android App: Forums for Android!

Root They know how the efuse works? Getting closer to more customr roms?

Discussion in 'Android Devices' started by Wolfedude88, Oct 4, 2010.

  1. Wolfedude88

    Wolfedude88 Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    2,756
    Joined:
    Jan 3, 2010

    Jan 3, 2010
    2,756
    554
    313
    Male
    Jr. I.T. Support Tech @ Amazon
    Plainfield, Indiana
    [​IMG]
    nenolod William Pitcock



    this means that we can replace mbmloader with an ENG patched mbmloader once we know the permutation value, which is a matter of bruteforcing


    3 minutes ago Favorite Retweet Reply



     

    Advertisement

  2. Wolfedude88

    Wolfedude88 Android Expert
    Thread Starter
    Rank:
    None
    Points:
    313
    Posts:
    2,756
    Joined:
    Jan 3, 2010

    Jan 3, 2010
    2,756
    554
    313
    Male
    Jr. I.T. Support Tech @ Amazon
    Plainfield, Indiana
    From what I can tell, sounds good to me.
     
  3. D13

    D13 Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    2,088
    Joined:
    May 28, 2010

    May 28, 2010
    2,088
    234
    143
    Elkridge, Maryland
    Holy Shit
    This is awesome...please happen in the next two weeks...I don't want to get rid of my X thinking that the unlock is just around the corner
     
  4. D13

    D13 Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    2,088
    Joined:
    May 28, 2010

    May 28, 2010
    2,088
    234
    143
    Elkridge, Maryland
    yesssss!!!

     
  5. nitsuj17

    nitsuj17 Android Expert
    Rank:
    None
    Points:
    213
    Posts:
    4,648
    Joined:
    Aug 16, 2010

    Aug 16, 2010
    4,648
    654
    213
    NJ
    haha the 2nd i start getting ready to sell my dx theres finally some great news. i actually had sbfed and reset my phone yesterday to get it ready to sell. im still sticking to my 2 weeks to see some development because last time it seemed like "any day" something would be out. But this does sound great.

    Would love to be running miui or cm6 overclocked to about 1.3
     
  6. D13

    D13 Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    2,088
    Joined:
    May 28, 2010

    May 28, 2010
    2,088
    234
    143
    Elkridge, Maryland
    same thing here, was getting ready to sell mine
    but 2 weeks...please @nenolod, you can do it
     
  7. ericsch333

    ericsch333 Well-Known Member
    Rank:
    None
    Points:
    36
    Posts:
    131
    Joined:
    Jul 31, 2010

    Jul 31, 2010
    131
    8
    36
    _mrbirdman_ Homework assignment: find QMI peek/poke nvram commands - GET TO IT FOLLOWERS! :D


    TheRealBeesley Good news tonight fellow sholes (motorola, X, D2, etc) users... Christmas may very well come early :)

    nenolod thanks to chinese sources, we now have the device-side implementation of RSDlite's protocol
     
  8. mazz0310

    mazz0310 Android Enthusiast
    Rank:
    None
    Points:
    68
    Posts:
    587
    Joined:
    Nov 4, 2009

    Nov 4, 2009
    587
    38
    68
    yes, seems like they are getting close...can't wait to see what comes of it.
     
  9. mazz0310

    mazz0310 Android Enthusiast
    Rank:
    None
    Points:
    68
    Posts:
    587
    Joined:
    Nov 4, 2009

    Nov 4, 2009
    587
    38
    68
    I'm trying to join the irc chat so I can help out but it says invite only. Is anyone able to get in?
     
  10. Retrokid223

    Retrokid223 Well-Known Member
    Rank:
    None
    Points:
    38
    Posts:
    198
    Joined:
    Aug 8, 2010

    Aug 8, 2010
    198
    16
    38
    yea if you sell it, you will look like a dumb a## like me :p
     
  11. nitsuj17

    nitsuj17 Android Expert
    Rank:
    None
    Points:
    213
    Posts:
    4,648
    Joined:
    Aug 16, 2010

    Aug 16, 2010
    4,648
    654
    213
    NJ

    yeah if they unlocked the day i sold it id be a TAD upset
     
  12. Steven58

    Steven58 Reformed PH
    Rank:
     #4
    Points:
    3,933
    Posts:
    32,959
    Joined:
    Feb 19, 2010

    Feb 19, 2010
    32,959
    25,351
    3,933
    Male
    Y'know! I gotta tell you. I don't understand a word of any of that, but I am very, very content to take advantage and enjoy the fruits of all of their work and donate for their time! Works for me! :D
     
  13. D13

    D13 Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    2,088
    Joined:
    May 28, 2010

    May 28, 2010
    2,088
    234
    143
    Elkridge, Maryland
    Can someone give me a walkthroug on joining the irc chat
     
  14. tom108

    tom108 Android Expert
    Rank:
    None
    Points:
    163
    Posts:
    1,672
    Joined:
    Feb 8, 2010

    1. goto freenode Web IRC (qwebirc)
    2. type in a screenname.
    3. for the channel type #sholesunlock
    then do the the captcha and hit connect.
     
  15. nitsuj17

    nitsuj17 Android Expert
    Rank:
    None
    Points:
    213
    Posts:
    4,648
    Joined:
    Aug 16, 2010

    Aug 16, 2010
    4,648
    654
    213
    NJ
    go to freenode Web IRC (qwebirc) create a userid join channel sholesunlock and your good to go!
     
  16. eulerphi8

    eulerphi8 Well-Known Member
    Rank:
    None
    Points:
    38
    Posts:
    132
    Joined:
    Jul 21, 2010

    Jul 21, 2010
    132
    21
    38
  17. Piiman

    Piiman Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    2,333
    Joined:
    May 28, 2010

    May 28, 2010
    2,333
    153
    143
    They'll probably have it unlocked the day you finally sell it. Please sell it ASAP. Thanks you:D
     
  18. Piiman

    Piiman Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    2,333
    Joined:
    May 28, 2010

    May 28, 2010
    2,333
    153
    143
  19. vanilla_android_fan

    Rank:
    None
    Points:
    15
    Posts:
    20
    Joined:
    Sep 18, 2010

    Sep 18, 2010
    20
    0
    15
  20. Airmaxx23

    Airmaxx23 Android Expert
    Rank:
    None
    Points:
    313
    Posts:
    3,142
    Joined:
    Jun 21, 2010

    Jun 21, 2010
    3,142
    1,039
    313

    Done....
     
    vanilla_android_fan likes this.
  21. vanilla_android_fan

    Rank:
    None
    Points:
    15
    Posts:
    20
    Joined:
    Sep 18, 2010

    Sep 18, 2010
    20
    0
    15
    You're the man! Thank you for the quick response!
     
  22. Piiman

    Piiman Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    2,333
    Joined:
    May 28, 2010

    May 28, 2010
    2,333
    153
    143
    I would love that also.
     
  23. Piiman

    Piiman Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    2,333
    Joined:
    May 28, 2010

    May 28, 2010
    2,333
    153
    143
    For anyone else


    Greetings! Current status is something like: 0% | ********************************** | 100%
    In other words, we have a general idea of how to achieve bootloader unlock on these devices, but this has not quite yet culminated into usable code. That's where you guys will be coming into this in the next day or two. We are presently looking for QMI protocol documentation so we can interact with the radio directly. RadioComm is not useful for what we want, as it's a Motorola tool and isn't going to show us the secure area of the radio's NVRAM.
    If you would like to watch, then join us on IRC at irc.freenode.net #sholesunlock. We will op-moderate the channel while we are discussing to ensure high signal-to-noise quality while allowing contributions of value to be added to the discussion. This should answer some questions you may have and such:

    Q: When can I haz unlock? Must haz 9.001THz overclock ROM!!!
    A: NVRAM dump tools will happen first, then we will release an exploit. (In the meantime consider that most actual performance issues are from the scheduler and fixing them has already been covered on my blog, which you can do just by rooting your phone.) Q: How does this work? Why are you attacking the BP? A: It is well known in the mobile phone industry that the safest place to store secret data is in the BP's NVRAM area. (Well, really, the BP's NVRAM is just a file in the EFS structure now, but...)

    Q: Ok, you get access to the BP. What happens next?
    A: Replacing the checksum on mbmloader with 0xFF or 0x00 should disable the security checks, allowing us to replace it.

    Q: Ah, so once replaced, mbmloader will be unlocked then, right? A: Yes, which means we will be able to flash a new mbm image onto the MTD. Specifically one from a dev phone. Q: So once a dev phone MBM is flashed, then what?
    A: Then the phone is unlocked as far as eFuse and such go. This allows the flashing of custom boot.img, recovery etc. Custom ROMs are already possible with Koush's hacked up recovery that runs in /system. With Milestone and Charm it will be more tricky - nobody on this team has access to a dev Milestone.

    Q: So what is protected by the eFuse anyway?
    A: mbmloader and nothing else. mbm enforces it's own protections completely in software.

    Q: What is x-loader?
    A: In OMAP devices, x-loader is the usual bootstrap for uBoot, much like mbmloader is the bootstrap for mbm. Sholes hardware uses mbmloader+mbm instead of x-loader+uBoot as it contains their verification code.

    Q: What is that bootsys.s file?
    A: That is template platform initialization code for the MSM6k series AP from Qualcomm. mbmloader is based on similar code from Qualcomm, dating back to previous collaborations between Motorola and Qualcomm.

    Q: Does that mean that the underlying code used by RSDlite is also written by Qualcomm? A: Not sure, don't really care. The protocol RSDlite uses to speak to mbmloader is nearly identical though. We also have a sample implementation of that protocol as implemented device-side.

    Q: What about the OMAP processor? It could put the sha1sum back after verification!

    A: What about it? It could, *but* the calculated sha1sum would be based on the replaced data anyway. There isn't a checksum burned into the ROM on the OMAP, because that would make updating the bootloader software impossible. Anyone who says otherwise has no understanding of the lack of cost benefit that would produce.

    Q: I got banned from the IRC channel.
    A: That is too bad. Do not complain to freenode staff about it, as they are not going to unban you. If you promise to stop trolling, /msg someone on IRC and we will give you a second chance.
    Q: What about the security on Motorola's Android 1.6 devices?
    A: The CLIQ and Ming phones are running on a different platform and are generally uninteresting to us.

    Q: So why are you guys doing this?
    A: Because software freedom is important - and Motorola should have embraced it instead of taken advantage of the Android ecosystem. What they are in effect doing is selling hardware that is misleading to consumers. We feel that it is necessary to correct this in order to empower consumers to take full advantage of free software on their phones.
     
  24. Airmaxx23

    Airmaxx23 Android Expert
    Rank:
    None
    Points:
    313
    Posts:
    3,142
    Joined:
    Jun 21, 2010

    Jun 21, 2010
    3,142
    1,039
    313
    Post # 15 has the instructions....
     
  25. nitsuj17

    nitsuj17 Android Expert
    Rank:
    None
    Points:
    213
    Posts:
    4,648
    Joined:
    Aug 16, 2010

    Aug 16, 2010
    4,648
    654
    213
    NJ
    yeah it looks like things are happening fast. glad i havent sold my x yet if they can do that
     

Share This Page

Loading...