unlocking the bootloader?

Discussion in 'Droid Bionic Hacks' started by denpth, Nov 10, 2011.

  1. denpth

    denpth Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Ratings:
    +0
    push, eax etc. I dont know what all of those mean.
     
  2. prime

    prime Kernel Developer
    Premium Member Developer

    Joined:
    Apr 26, 2010
    Messages:
    1,897
    Likes Received:
    52
    Trophy Points:
    93
    Location:
    Florida
    Ratings:
    +54
    I haven't directly dealt with assembly in over ten years so I don't much remember either.

    Using memory registers or memory mapping has always been a pet peeve of mine anyway. I never understood why anyone would write in assembly unless absolutely necessary (in driver development it's a necessary evil).
     
  3. firefighterguy

    Joined:
    Mar 29, 2011
    Messages:
    144
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Denver, CO
    Ratings:
    +1
    denpth and everyone else working on this, you guys rock! I have no friggin idea how to go about what you guys are doing.

    I think I have seen more done here than enywhere else. There are threads all over the place that are for the most part dead. And those who are tight-lipped about it are greedy because they want the bootloader bounty all for themselves.

    Well, they will be working on it a looooong time, because I like what is being done in this thread. A bunch of brains are getting together to pool what knowledge and theories they have for the better of the community here. And I believe you will have this cracked before any of the other tight-lipped people.

    Keep up the good work on the quest to truly make our phones OURS! :D

    ____________________
    "King of the 'Self-Edit'"

    "Patriotism is supporting your Country at all times. And your government only when it deserves it" --Mark Twain
     
    #75 firefighterguy, Nov 26, 2011
    Last edited: Nov 29, 2011
  4. denpth

    denpth Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Ratings:
    +0
    i mean while the bounty would be nice, this is not my main concern. I just want cm7 to work well. So we need to be able to flash kernels... That is it. CM7 is friggin awesome and would be the best thing for our phones it possible.
     
  5. ex0rcist

    ex0rcist Member

    Joined:
    Sep 12, 2011
    Messages:
    328
    Likes Received:
    6
    Trophy Points:
    18
    Ratings:
    +6
    +1

    Sent from my DROID BIONIC using Tapatalk
     
  6. denpth

    denpth Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Ratings:
    +0
    omg this def just got over my head, unless i can find in the source where this value is set in a function (which i am going to search high and low for) i am at a stand still. Maybe you might be able to help here prime. I just dissasembled the function call and its just wayyy over my head i have no idea what i am looking at. I can read C but this is rediculous.
    omap_dev_type.elf: file format elf32-littlearm


    Disassembly of section .data:

    c0028f60 <_binary_omap_dev_type_start>:
    c0028f60: 4f544f4d svcmi 0x00544f4d
    c0028f64: 4e495250 mcrmi 2, 2, r5, cr9, cr0, {2}
    c0028f68: 70612e54 rsbvc r2, r1, r4, asr lr
    c0028f6c: 0000006b andeq r0, r0, fp, rrx
    c0028f70: 000001d3 ldrdeq r0, [r0], -r3
    c0028f74: 01080010 tsteq r8, r0, lsl r0
    c0028f78: 2e6b7453 mcrcs 4, 3, r7, cr11, cr3, {2}
    c0028f7c: 7865646f stmdavc r5!, {r0, r1, r2, r3, r5, r6, sl, sp, lr}^
    c0028f80: 0000016a andeq r0, r0, sl, ror #2
    c0028f84: 0113001c tsteq r3, ip, lsl r0
    c0028f88: 61636f4c cmnvs r3, ip, asr #30
    c0028f8c: 6e6f6974 mcrvs 9, 3, r6, cr15, cr4, {3}
    c0028f90: 736e6f43 cmnvc lr, #268 ; 0x10c
    c0028f94: 2e746e65 cdpcs 14, 7, cr6, cr4, cr5, {3}
    c0028f98: 006b7061 rsbeq r7, fp, r1, rrx
    c0028f9c: 0000134a andeq r1, r0, sl, asr #6
    c0028fa0: 010d0018 tsteq sp, r8, lsl r0
    c0028fa4: 72756c42 rsbsvc r6, r5, #16896 ; 0x4200
    c0028fa8: 6e6f6850 mcrvs 8, 3, r6, cr15, cr0, {2}
    c0028fac: 70612e65 rsbvc r2, r1, r5, ror #28
    c0028fb0: 0000006b andeq r0, r0, fp, rrx
    c0028fb4: 00000c05 andeq r0, r0, r5, lsl #24
    c0028fb8: 010a0014 tsteq sl, r4, lsl r0
    c0028fbc: 646e694b strbtvs r6, [lr], #-2379 ; 0xfffff6b5
    c0028fc0: 612e656c teqvs lr, ip, ror #10
    c0028fc4: 00006b70 andeq r6, r0, r0, ror fp
    c0028fc8: 00001338 andeq r1, r0, r8, lsr r3
    c0028fcc: 01190024 tsteq r9, r4, lsr #32
    c0028fd0: 72756c42 rsbsvc r6, r5, #16896 ; 0x4200
    c0028fd4: 656c6143 strbvs r6, [ip, #-323]! ; 0xfffffebd
    c0028fd8: 7261646e rsbvc r6, r1, #1845493760 ; 0x6e000000
    c0028fdc: 766f7250 ; <UNDEFINED> instruction: 0x766f7250
    c0028fe0: 72656469 rsbvc r6, r5, #1761607680 ; 0x69000000
    c0028fe4: 65646f2e strbvs r6, [r4, #-3886]! ; 0xfffff0d2
    c0028fe8: 00000078 andeq r0, r0, r8, ror r0
    c0028fec: 00000193 muleq r0, r3, r1
    c0028ff0: 0113001c tsteq r3, ip, lsl r0
    c0028ff4: 50414d4f subpl r4, r1, pc, asr #26
    c0028ff8: 69766f72 ldmdbvs r6!, {r1, r4, r5, r6, r8, r9, sl, fp, sp, lr}^
    c0028ffc: 6e6f6973 mcrvs 9, 3, r6, cr15, cr3, {3}
    c0029000: 2e676e69 cdpcs 14, 6, cr6, cr7, cr9, {3}
    c0029004: 006b7061 rsbeq r7, fp, r1, rrx

    Any thoughts?
     
  7. denpth

    denpth Member

    Joined:
    Feb 2, 2010
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Ratings:
    +0
    bingo found the function! Basically it calls another function omap_type and gets a value of 1 or 2 from it which then sets the string in proc. so we need to hijack at the point of omap_type and return 2 instead of 1

    edit: im going to work on this more tomorrow. Im tired.
     
    #79 denpth, Nov 26, 2011
    Last edited: Nov 26, 2011
  8. wilboy

    wilboy Member

    Joined:
    Sep 6, 2010
    Messages:
    684
    Likes Received:
    1
    Trophy Points:
    18
    Ratings:
    +1
    Goodluck man!This is the only way we can go back to its orig kernel..wish we can unlock the bootloader...unlocking it...we can do more:)....and a lot lot more.:biggrin:
     
  9. ex0rcist

    ex0rcist Member

    Joined:
    Sep 12, 2011
    Messages:
    328
    Likes Received:
    6
    Trophy Points:
    18
    Ratings:
    +6
    Thanks again for all ur hard work. See they got overclock working ovrr at rootz? Running 1.5ghz... smushing rzr rezound AND Overclocked sgIIs... no problem :)

    Sent from my DROID BIONIC using Tapatalk
     
  10. Nyteravyn

    Nyteravyn Member

    Joined:
    Mar 3, 2011
    Messages:
    810
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    MidWest
    Ratings:
    +4
    Tat on my painted brother, lol

    Sent from my DROID BIONIC using Tapatalk
     
  11. Nyteravyn

    Nyteravyn Member

    Joined:
    Mar 3, 2011
    Messages:
    810
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    MidWest
    Ratings:
    +4
     
  12. prime

    prime Kernel Developer
    Premium Member Developer

    Joined:
    Apr 26, 2010
    Messages:
    1,897
    Likes Received:
    52
    Trophy Points:
    93
    Location:
    Florida
    Ratings:
    +54
    Good work on the disassembly, I do not see the call in what you posted. The numbers to the left are memory addresses, the next are 'jumps' to other locations, finally there are the instructions on memory manipulation of the location.

    I didn't know there was a binary to omap_dev_type but being there is the source is where the answer lies. I have the sources but have yet to decompress all of it.
     
Search tags for this page

droid bionic mbmloader

,
motorola ns or hs
,
ns-14t004 bootloader
,
omap bootloader ns
,
sensei raw bootloader device
,
unlock bootloader xt910
,
unlock xt910 bootloader