1. Download our Official Android App: Forums for Android!

Root Unlocking the bootloader, custom recovery, kernels, etc

Discussion in 'Android Devices' started by downthemachine, Dec 28, 2012.

  1. mel4787

    mel4787 Android Enthusiast
    Rank:
    None
    Points:
    53
    Posts:
    484
    Joined:
    Jun 23, 2013

    Jun 23, 2013
    484
    60
    53
    Male
    pics and proof?
     

    Advertisement

  2. Mercules

    Mercules Lurker
    Rank:
    None
    Points:
    15
    Posts:
    2
    Joined:
    Feb 15, 2015

    Feb 15, 2015
    2
    0
    15
    Male
     

    Attached Files:

  3. jack_hard

    jack_hard Newbie
    Rank:
    None
    Points:
    16
    Posts:
    18
    Joined:
    May 4, 2015

    May 4, 2015
    18
    2
    16
    Why can't a LG bump security key thing work for this type of situation they are all locked with a security key right?
     
  4. tweakdeveloper

    Rank:
    None
    Points:
    5
    Posts:
    1
    Joined:
    Apr 16, 2013

    Apr 16, 2013
    1
    0
    5
    Does anyone happen to have this device's aboot that I could use?
     
  5. mel4787

    mel4787 Android Enthusiast
    Rank:
    None
    Points:
    53
    Posts:
    484
    Joined:
    Jun 23, 2013

    Jun 23, 2013
    484
    60
    53
    Male
    Um that's for s different hydro. We are talking on the original hydro
     
  6. Mark D

    Mark D Lurker
    Rank:
    None
    Points:
    15
    Posts:
    1
    Joined:
    Oct 8, 2015

    Oct 8, 2015
    1
    0
    15
    Male
    I was able to get my Hydro Icon C6730 into both fastboot and modem-utility mode. For mine, you can just turn it off, and hold power and vol+ or vol-. When the android thing comes on, slide your finger to the opposite. Vol + to - brings up orange light mode (I have been calling them OLM and GLM) and - to + brings green light mode. I was able to find SOME stock partitions, and messed around with fastboot to change the way I was bootlooped, but no luck on fixing the brick. Just thought I would share.
     
  7. Blackb0x

    Blackb0x Newbie
    Rank:
    None
    Points:
    16
    Posts:
    33
    Joined:
    May 31, 2012

    May 31, 2012
    33
    2
    16
    Please let me know as I am also soft bricked :(
     
  8. bluntforcetramatothehead

    Rank:
    None
    Points:
    15
    Posts:
    4
    Joined:
    Feb 26, 2016

    Feb 26, 2016
    4
    0
    15
    Sorry to revive a dead thread. I do have an idea, you would have to use https://github.com/Sepero/bootbuddy Boot Buddy will allow you to run Linux shell scripts when your Android device is booting up. It will run your scripts early in the boot process, before the home screen appears. in theory you might be able to load recovery from sd card and bypass the security checks.

    The intended audience is generally intermediate to advanced users, and those who want to play with shell scripting on their device.
     
  9. bluntforcetramatothehead

    Rank:
    None
    Points:
    15
    Posts:
    4
    Joined:
    Feb 26, 2016

    Feb 26, 2016
    4
    0
    15
    Using boot buddy, you have to have busy box installed and script manager. Using the basic scripts I was able to get
    /dev/block/mmcblk0p12 /system ext4 rw,relatime,user_xattr,barrier=0,data=ordered 0 0


    You have to run the boot buddy script prior to shutdown to load the scripts. If we can run scripts then we might be interested in the boot process. a wonderful slide can be found here http://www.slideshare.net/chrissimmonds/android-bootslides20 depends on where in the boot process the checks are done. you would probably need to escalate the attack so we would need Kernel init.d Support Injector from http://forum.xda-developers.com/showpost.php?p=40409356 think the best bet at this point would be to look at the ramdisk. furthermore most of what is on the device talks about qemu goldfish and a emulated environment or at least partially so you can find more info here https://android.googlesource.com/platform/external/qemu/+/master/docs/GOLDFISH-VIRTUAL-HARDWARE.TXT so now that we have all that you can probably use this to make bootloader it's called u-boot http://www.informit.com/articles/article.aspx?p=2433499
     
    #84 bluntforcetramatothehead, Feb 26, 2016
    Last edited: Feb 27, 2016
  10. Batman202012

    Batman202012 Newbie
    Rank:
    None
    Points:
    25
    Posts:
    13
    Joined:
    Jul 28, 2016

    Jul 28, 2016
    13
    0
    25
    Male
    Have a broken Kyocera hydro vibe where the screen is cracked and I got a new one, old one is still usable if someone has an idea they wanna test. Right now I'm just using it to charge my second battery and I can do that while it's bricked so I'm willing to do a test, it's already rooted and ready to go.
     
  11. Batman202012

    Batman202012 Newbie
    Rank:
    None
    Points:
    25
    Posts:
    13
    Joined:
    Jul 28, 2016

    Jul 28, 2016
    13
    0
    25
    Male
  12. AdmireThis

    AdmireThis Newbie
    Rank:
    None
    Points:
    26
    Posts:
    47
    Joined:
    Feb 1, 2012

    Feb 1, 2012
    47
    4
    26
    Male
    Not fun at all
    Michigan
    Unfortunatly this bootloader will never be unlocked its out of date,but tgis is a spare phone for me so if anyone has anything to try im willing to,for fun
     
  13. bluntforcetramatothehead

    Rank:
    None
    Points:
    15
    Posts:
    4
    Joined:
    Feb 26, 2016

    Feb 26, 2016
    4
    0
    15
    www.writefayewrite.com/images/pdfs/DatasheetII.pdf

    Qualcomm’s operating system is called Advanced Mobile Subscriber
    Software (AMSS), also referred to as Dual-
    Mode Subscriber Station
    (DMSS). The OS allocates resources for up to 69 concurrent tasks, includ
    -
    ing hardware management for USB, USIM, GPS, etc., and contains proto
    -
    col stacks at each layer (GSM, L1, L2, RR, MM, etc.). The primary processor
    boots first, ARMx, executing the primary boot loader (PBL) from on-
    board
    ROM at 0xFFFF0000. The mobile station modem (MSM) platform design
    couples CDMA (code-
    division multiple access) and UMTS (Universal
    Mobile Telecommunications System) modem chipsets. After hardware
    initialization, the PBL reads the device boot loader (DBL) from the first
    partition of flash memory. DBL is a function of Qualcomm’s SecureBoot,
    which uses cryptography to guarantee there has not been interference with
    the boot loader images. DBL then configures a dedicated cryptographic
    co-
    processor, Cryptographic Look-
    aside Processor (CLP), and other hard
    -
    ware to load and execute the secondary boot loader (SBL) from flash mem
    -
    ory on an external bus interface (2) from a dedicated partition (3).
    The SBL is loaded into memory, which is an internal memory loca
    -
    tion, on the MSM internal memory, the package-
    on-
    package RAM. This
    is the ARMx Monitor (AMON), where x signifies the primary processor
    model number, and it provides an Extensible Firmware Interface (EFI)
    environment for controlling the boot process. After more hardware
    configuration takes place, including USB and universal asynchronous
    receiving/
    transmitting (for potential remote console connections to the
    monitor), it loads the Applications Processor Secondary Boot Loader
    (
    hboot
    ) on the ARMxx applications processor from a dedicated parti
    -
    tion (14) into both virtual and physical memory.
    REX and AMSS are loaded and executed from another dedicated par
    -
    tition (4). REX, running on Security Domain 0, is responsible for load
    -
    ing firmware into the ancillary micro-
    controller, digital signal processor.
    and voice processor and initializing them. The image includes the REX-
    embedded micro-
    kernel, such as L4A Pistachio, and Iguana operat
    -
    ing system combination, with extensive Qualcomm modifications and
    extensions. Once ARMxx boots, REX unloads/
    disconnects its eMMC
    (multimedia card) driver and relies on remote procedure calls (RPCs) via
    shared memory to the ARMxx application processor to read and write
    the eMMC. Subsequently, the ARMx REX executes the Advanced Mobile
    Subscriber Software (AMSS), running on Security Domain 1.
    48

    Lauren Collins
    Figure 3.5 illustrates the flow for the system boot sequence.
    Core REX tasks are

    DIAG
    : Provides the diagnostic interface.

    CM
    : Call manager task.

    DS
    : Data services task (unified data gathering task for all protocol layers).

    DOG
    : Watchdog (constantly checks whether tasks are alive).

    DPC
    : Routes adjacent point code (APC) across tasks.

    MAIN
    : Launches all system tasks, handles timer events.

    PS
    : Packet-
    switched services (network stacks at upper layers, TCP/
    IP,
    PPP, etc.).

    SLEEP
    : Idle task
    seems the kyocera rise c5155 abd hydro c5170
    what you need can be found in /proc/config.gz
    they have a few different options for the crypt keys think its based off hwmac really need a jtag for this but it creates a temp ram disk and has a cmdline in bootloader. init=/sbi/init /dev/ram initrd 0x11000000 pretty much need to dump the ram it loads a bunch of virtual machines on top of everything.more or less it uses the emulated environment to shield itself, some commands get passed to the real system. probably will have to work on getting something setup with that boot buddy thing to dump the file during boot. i wonder how difficult it would be to implement https://github.com/qemu/u-boot sounds like what is needed they probably use something similar for the bootloader but the feature here is to do a ram dump and then force u-boot to relocate the space CONFIG_RAMBOOT and CONFIG_NFSBOOT
    The value of these goes into the environment as
    "ramboot" and "nfsboot" respectively, and can be used
    as a convenience, when switching between booting from
    RAM and NFS.

    Protected RAM:
    CONFIG_PRAM

    Define this variable to enable the reservation of
    "protected RAM", i. e. RAM which is not overwritten
    by U-Boot. Define CONFIG_PRAM to hold the number of
    kB you want to reserve for pRAM. You can overwrite
    this default value by defining an environment
    variable "pram" to the number of kB you want to
    reserve. Note that the board info structure will
    still show the full amount of RAM. If pRAM is
    reserved, a new environment variable "mem" will
    automatically be defined to hold the amount of
    remaining RAM in a form that can be passed as boot
    argument to Linux, for instance like that:

    setenv bootargs ... mem=\${mem}
    saveenv

    This way you can tell Linux not to use this memory,
    either, which results in a memory region that will
    not be affected by reboots.

    *WARNING* If your board configuration uses automatic
    detection of the RAM size, you must make sure that
    this memory test is non-destructive. So far, the
    following board configurations are known to be
    "pRAM-clean":

    IVMS8, IVML24, SPD8xx, TQM8xxL,
    HERMES, IP860, RPXlite, LWMON,
    FLAGADM, TQM8260

    - Access to physical memory region (> 4GB)
    Some basic support is provided for operations on memory not
    normally accessible to U-Boot - e.g. some architectures
    support access to more than 4GB of memory on 32-bit
    machines using physical address extension or similar.
    Define CONFIG_PHYSMEM to access this basic support, which
    currently only supports clearing the memory.
     
    #88 bluntforcetramatothehead, Dec 22, 2016
    Last edited: Dec 22, 2016

Share This Page

Loading...