unlocking the bootloader?

Discussion in 'Droid Bionic Hacks' started by denpth, Nov 10, 2011.

  1. dags5000
    Offline

    dags5000 New Member

    Joined:
    Sep 28, 2011
    Messages:
    202
    Likes Received:
    5
    Trophy Points:
    0
    All im saying is that this is not something that one will just "figure out" by looking at code or taking shot in the dark guesses. Take p3droids advice that it simply is not gonna happen unless the keys are leaked or some unlocked version is leaked or moto provides a way

    Sent from my DROID BIONIC using DroidForums
  2. sjflowerhorn
    Offline

    sjflowerhorn New Member

    Joined:
    May 26, 2010
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Collingswood
    Since we cant change /proc/dev-type Beings that the bootloaders files are the same size(42kb i believe) inside of the updates would crossing the names of the two files just be a retarded waste of time? Or a brick in the making.

    Dont anyone go trying this

    Sent from my DROID BIONIC using DroidForums
  3. denpth
    Offline

    denpth New Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    0
    i actually already tried this. I got a backup phone if worse comes to worse, obviously would rather not have a brick. It checks for the md5 of the files as well. so it knows the names are switched. But you have given me an IDEA maybe we change the md5 checksum verification file too.......... major shot in the dark there tho. guess back to source.


    edit: no
    Last edited: Nov 25, 2011
  4. sjflowerhorn
    Offline

    sjflowerhorn New Member

    Joined:
    May 26, 2010
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Collingswood
    I figured with dile size the same md5 might be tricked but guess not.

    Sent from my DROID BIONIC using DroidForums
  5. dstreng
    Offline

    dstreng New Member

    Joined:
    Sep 22, 2010
    Messages:
    174
    Likes Received:
    1
    Trophy Points:
    0
    Overclocking can be now done on the Bionic, it just wont survive a reboot. Its time to put the focus back on the bootloader. Especially with updates coming soon and the need to return to stock kernels.
  6. firefighterguy
    Offline

    firefighterguy New Member

    Joined:
    Mar 29, 2011
    Messages:
    144
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Denver, CO
    Or if one of us knows someone who was a code breaker in the Military. Or if one of aaUs was.... That would be gravy.
  7. sjflowerhorn
    Offline

    sjflowerhorn New Member

    Joined:
    May 26, 2010
    Messages:
    99
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Collingswood
    Never lost the thought. . . Not for one second. Lol

    Sent from my DROID BIONIC using DroidForums
  8. prime
    Online

    prime Kernel Developer Premium Member Developer

    Joined:
    Apr 26, 2010
    Messages:
    1,831
    Likes Received:
    19
    Trophy Points:
    38
    Location:
    Florida
    If the update mechanism indeed uses the /proc/omap_dev_type to determine if the device is dev/non-development it may be possible to change the value in memory. Much like how the milestone overclock kernel module functions.
  9. denpth
    Offline

    denpth New Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    0
    That is actually the direction i am heading with it, however just like the overclock modules it will not survive a reboot. The trick is being able to run a module in stock recovery. But i am thinking once you get the NS bootloader installed I dont think we will have to do this again. PRIME if you wouldnt mind i can be a guinea pig and also i will give you as much insight as i have gathered. I think changing the value is not going to be the issue. The issue is changing the value while in stock recovery so one can run an update with the value changed. If you have any insight on how to do that last part it would be amazing. As i mentioned before there is HS which the bionic installs normally and NS (non secure) that is installed if omap_dev_type is set to NS. But if we are able to run cwm should we be able to run a modified stock recovery with this flag changed?
  10. prime
    Online

    prime Kernel Developer Premium Member Developer

    Joined:
    Apr 26, 2010
    Messages:
    1,831
    Likes Received:
    19
    Trophy Points:
    38
    Location:
    Florida
    I have my hands in twelve bowls of skittles right now so I may not be able to help. I am currently working with the bionic kernel source to enable loading outside modules into the running kernel, once I have this done I may be able to help.

    Do you have a kallsyms in /proc? Does it contain the string omap_dev_type?
  11. denpth
    Offline

    denpth New Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    0
    Yes it does infact. Now that i got my debian system up and running I can download the source and can also dump that variable and see what i can do with it. This is the area that i will have issues tho. I can understand the C from the source, but the assembly language? i understand how it works, but the syntax is hard to follow to me. I have got maybe 3 other times i have ever needed to look at it.
  12. prime
    Online

    prime Kernel Developer Premium Member Developer

    Joined:
    Apr 26, 2010
    Messages:
    1,831
    Likes Received:
    19
    Trophy Points:
    38
    Location:
    Florida
    You mean the 0x000a00 or push, eax..etc?
  13. denpth
    Offline

    denpth New Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    0
    push, eax etc. I dont know what all of those mean.
  14. prime
    Online

    prime Kernel Developer Premium Member Developer

    Joined:
    Apr 26, 2010
    Messages:
    1,831
    Likes Received:
    19
    Trophy Points:
    38
    Location:
    Florida
    I haven't directly dealt with assembly in over ten years so I don't much remember either.

    Using memory registers or memory mapping has always been a pet peeve of mine anyway. I never understood why anyone would write in assembly unless absolutely necessary (in driver development it's a necessary evil).
  15. firefighterguy
    Offline

    firefighterguy New Member

    Joined:
    Mar 29, 2011
    Messages:
    144
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Denver, CO
    denpth and everyone else working on this, you guys rock! I have no friggin idea how to go about what you guys are doing.

    I think I have seen more done here than enywhere else. There are threads all over the place that are for the most part dead. And those who are tight-lipped about it are greedy because they want the bootloader bounty all for themselves.

    Well, they will be working on it a looooong time, because I like what is being done in this thread. A bunch of brains are getting together to pool what knowledge and theories they have for the better of the community here. And I believe you will have this cracked before any of the other tight-lipped people.

    Keep up the good work on the quest to truly make our phones OURS! :D

    ____________________
    "King of the 'Self-Edit'"

    "Patriotism is supporting your Country at all times. And your government only when it deserves it" --Mark Twain
    Last edited: Nov 29, 2011
  16. denpth
    Offline

    denpth New Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    0
    i mean while the bounty would be nice, this is not my main concern. I just want cm7 to work well. So we need to be able to flash kernels... That is it. CM7 is friggin awesome and would be the best thing for our phones it possible.
  17. ex0rcist
    Offline

    ex0rcist New Member

    Joined:
    Sep 12, 2011
    Messages:
    328
    Likes Received:
    6
    Trophy Points:
    0
    +1

    Sent from my DROID BIONIC using Tapatalk
  18. denpth
    Offline

    denpth New Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    0
    omg this def just got over my head, unless i can find in the source where this value is set in a function (which i am going to search high and low for) i am at a stand still. Maybe you might be able to help here prime. I just dissasembled the function call and its just wayyy over my head i have no idea what i am looking at. I can read C but this is rediculous.
    omap_dev_type.elf: file format elf32-littlearm


    Disassembly of section .data:

    c0028f60 <_binary_omap_dev_type_start>:
    c0028f60: 4f544f4d svcmi 0x00544f4d
    c0028f64: 4e495250 mcrmi 2, 2, r5, cr9, cr0, {2}
    c0028f68: 70612e54 rsbvc r2, r1, r4, asr lr
    c0028f6c: 0000006b andeq r0, r0, fp, rrx
    c0028f70: 000001d3 ldrdeq r0, [r0], -r3
    c0028f74: 01080010 tsteq r8, r0, lsl r0
    c0028f78: 2e6b7453 mcrcs 4, 3, r7, cr11, cr3, {2}
    c0028f7c: 7865646f stmdavc r5!, {r0, r1, r2, r3, r5, r6, sl, sp, lr}^
    c0028f80: 0000016a andeq r0, r0, sl, ror #2
    c0028f84: 0113001c tsteq r3, ip, lsl r0
    c0028f88: 61636f4c cmnvs r3, ip, asr #30
    c0028f8c: 6e6f6974 mcrvs 9, 3, r6, cr15, cr4, {3}
    c0028f90: 736e6f43 cmnvc lr, #268 ; 0x10c
    c0028f94: 2e746e65 cdpcs 14, 7, cr6, cr4, cr5, {3}
    c0028f98: 006b7061 rsbeq r7, fp, r1, rrx
    c0028f9c: 0000134a andeq r1, r0, sl, asr #6
    c0028fa0: 010d0018 tsteq sp, r8, lsl r0
    c0028fa4: 72756c42 rsbsvc r6, r5, #16896 ; 0x4200
    c0028fa8: 6e6f6850 mcrvs 8, 3, r6, cr15, cr0, {2}
    c0028fac: 70612e65 rsbvc r2, r1, r5, ror #28
    c0028fb0: 0000006b andeq r0, r0, fp, rrx
    c0028fb4: 00000c05 andeq r0, r0, r5, lsl #24
    c0028fb8: 010a0014 tsteq sl, r4, lsl r0
    c0028fbc: 646e694b strbtvs r6, [lr], #-2379 ; 0xfffff6b5
    c0028fc0: 612e656c teqvs lr, ip, ror #10
    c0028fc4: 00006b70 andeq r6, r0, r0, ror fp
    c0028fc8: 00001338 andeq r1, r0, r8, lsr r3
    c0028fcc: 01190024 tsteq r9, r4, lsr #32
    c0028fd0: 72756c42 rsbsvc r6, r5, #16896 ; 0x4200
    c0028fd4: 656c6143 strbvs r6, [ip, #-323]! ; 0xfffffebd
    c0028fd8: 7261646e rsbvc r6, r1, #1845493760 ; 0x6e000000
    c0028fdc: 766f7250 ; <UNDEFINED> instruction: 0x766f7250
    c0028fe0: 72656469 rsbvc r6, r5, #1761607680 ; 0x69000000
    c0028fe4: 65646f2e strbvs r6, [r4, #-3886]! ; 0xfffff0d2
    c0028fe8: 00000078 andeq r0, r0, r8, ror r0
    c0028fec: 00000193 muleq r0, r3, r1
    c0028ff0: 0113001c tsteq r3, ip, lsl r0
    c0028ff4: 50414d4f subpl r4, r1, pc, asr #26
    c0028ff8: 69766f72 ldmdbvs r6!, {r1, r4, r5, r6, r8, r9, sl, fp, sp, lr}^
    c0028ffc: 6e6f6973 mcrvs 9, 3, r6, cr15, cr3, {3}
    c0029000: 2e676e69 cdpcs 14, 6, cr6, cr7, cr9, {3}
    c0029004: 006b7061 rsbeq r7, fp, r1, rrx

    Any thoughts?
  19. denpth
    Offline

    denpth New Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    0
    bingo found the function! Basically it calls another function omap_type and gets a value of 1 or 2 from it which then sets the string in proc. so we need to hijack at the point of omap_type and return 2 instead of 1

    edit: im going to work on this more tomorrow. Im tired.
    Last edited: Nov 26, 2011
  20. wilboy
    Offline

    wilboy New Member

    Joined:
    Sep 6, 2010
    Messages:
    684
    Likes Received:
    1
    Trophy Points:
    0
    Goodluck man!This is the only way we can go back to its orig kernel..wish we can unlock the bootloader...unlocking it...we can do more:)....and a lot lot more.:biggrin:
Search tags for this page

droid bionic mbmloader

,
motorola ns or hs
,
ns-14t004 bootloader
,
omap bootloader ns
,
sensei raw bootloader device
,
unlock bootloader xt910
,
unlock xt910 bootloader