The opening of the Wave bootloader through FOTA - Bada Software and Hacking General

Hi everyone,
Many people have complained about the Wave bootloader being closed and that being major problem for the development of alternative OS.
I had a closer look at the booting process and would like to contribute my observations to the community. I shall have little time (next to none) to work on it further, so I'd like someone to take it from this point.
OK, that said I can introduce you to what I found:
The booting process starts with initialization of the hardware, interrupts, etc. and gets to the selection of the booting mode. This is the place that checks the key combination, JIG and possible problems. Basing on this the bootloader will run the phone in either normal boot mode, go to dowload or upload mode.
Normal boot shall start with checking the FOTA module. If you already tried flashing your phone you probably noticed that some versions of the FW include a file with *.fota extension. The file is unencrypted and not signed. It's about 2MB, but the bootloader reserves exactly 3MB for it. FOTA is intended to be used for firmware update over the air, but I know nothing about it being used for Wave. You may read something about the design and get a concept of that process here:
http://www.freepatentsonline.com/pdfb/documents/usapp/patent_pdf/2010/017/US20100175062/pdf/US20100175062.pdf
Basically, it is possible that boot would need to perform some actions that are a result of FOTA. Therefore, during the normal boot it reads the FOTA module from the NAND (0xC600000) and checks whether the module exists and is in the right version. That is done by checking a magic (text "FOTA_ENGINE_VER_INFO_2.0") under the 0xC600100. If it is found missing or incorrect you will end up with the message "FOTA Engine is not intalled" or "FOTA Engine version mismatch" on the screen and you will need to restart your phone in the download mode to load it.
After that, the code checks for additional magic values at 0xC880000. In case it is "BPDZ" it jumps to the code in the FOTA file. The contents of the file is loaded to RAM location 0x43800000 and executed from there.
I've made an experiment as a proof-of-concept and have a confirmed that the above is true and valid information. I crafted a FOTA file longer that the usual attached (to be bigger than 2,5 MB). In case you want to repeat that, remember that last 1024 bytes are not loaded and insert additional data before that. My file had two magic values:
"FOTA_ENGINE_VER_INFO_2.0" at 0x100 offset and "BPDZ" at 0x280000. At offset 0 I've placed my code that started with several NOPs (just in case) and code that called original bootloader functions to display text on the screen.
After loading the file with Multiloader, the message appeared on the screen as expected. Reloading of the original FOTA file made the phone boot normally.
The discovery opens wide area of possibilities starting with replacing bootloader without signing it or using JTAG, multiboot, etc.
As the original bootloader is in the memory as well, we can use it, but I would not recommend that approach as we would need additional version control and changing original routines and data addresses for each version.
OK. I hope I made it clear enough to understand, but I can clarify what I might have omitted in the description. The idea is that someone here would pick that up from where I finished and develop a decent loader leaving the original files (apart from FOTA) untouched.
Best Regards,
mijoma
-----------------------------------
Edit: Added proof-of-concept FOTA file (based on XXJL2 FOTA). Use wisely - remember you take full responsibility for what you load on your phone. Works ONLY with XXJL2 bootloader.

Very interesting ... great job

My little knowledge/experiments...
1.
Before I NEVER updated manually FOTA. I never seen any Errors like other user... with FOTA not installed or something similar.
Maybe reason is, because my testdevice has NO active SIM card, so no network...
2.
I've tested examples from mijoma. On XXJL2 Boot...
Simple only flash FOTA with Multiloader.
At your own risk. Not all sideeffects known.
I had NO problems.
3.
Results... I can't see any special after Flashing. But I can go through internal menu, see Pictures.
http://forum.xda-developers.com/showthread.php?t=906966
Normally I have more messages... but with modified FOTA Wave restarts. So the way is correct.
4.
Delta files are sometimes in Firmware also with Boot... I will add next Link to what I found about Delta files...
Delta Files are part of FOTA concept...
5.
Depend on Firmware... Software update... but sometimes is this point removed and I can't login, because no network...
In other words, I have to start FOTA over this internal menu to see that it is doing something.
Best Regards

@adfree
I think you are testing the previous version. Could you confirm you are using mod version 2?
Best Regards,
mijoma

bplib_S8500OpEuro_XXJL2_mijoma_mod2.zip
You are right, not tested yet. Only prior Version.
I will test today mod2 and report later.
I have to flash back to XXJL2... as I play actual on Orange JE7.
Thank you.
Best Regards

YT: watch?v=A35k3E1F1O4
It's working....
Best regards.

Amazing job dude. It seems like this could help us to change booting stuff

Nice work mijoma !!!

I can confirm it works.
Now I see the same like on this Video:
http://www.youtube.com/watch?v=A35k3E1F1O4
Thanx jedil1 for Link.
Sorry mijoma.
I have no idea where I made mistake...
This time my first Test was Full Flash (without Boot)...
Second only FOTA and it works too... Original, then yours...
If you flash "Full", then you interrupt the Index process at Start, where Blue Screen shows...
Best Regards

Great job!!!
And my opinion,this is a single way to starting full working android on s8500,
because we need to initialize the modem at bootloader stage for fuel gauge.
i temporary use modem from m130k without fuel gauge.

Few Firmware packages have Delta files:
Code:
delta.bin
delta_AP.bin
delta_CFS.bin
delta_CP.bin
delta_CRSRC.bin
delta_FS.bin
delta_LFS_01.bin
delta_LFS_02.bin
delta_RSRC2.bin
Around 16 MB...
If I use Google for "Delta Files FOTA"... then I can also find this:
http://www.faqs.org/patents/app/20100175062
Theory/ideas
What we also can do with this Security hole:
- maybe "move" folder System to SD or internal Memory, to have no more problems with RC1
- maybe someone is smart enough, to integrate Dump Function for Dump whole RAM or moviNAND... like JTAG
See Upload function...
Best Regards

adfree said:
- maybe someone is smart enough, to integrate Dump Function for Dump whole RAM or moviNAND... like JTAG
See Upload function...
Best Regards
Click to expand...
Click to collapse
I think that Samsung have thought of that already. I had not analysed that as so far, but there's UPLOAD option in the bootloader (handled by a bit separate code from DLOAD). I haven't got the wave, so I never tested it.
You can make a patch on my mod and place a direct jump to that code. I've made a quick patch so you can try it out. I don't know whether there's any software that can handle that mode. I've made a look and there are several funny commands that can be used:
"PrEaMbLe"
"AcKnOwLeDgMeNt"
"PoStAmBlE"
"PoWeRdOwN"
"DaTaXfEr"
Remember that this time we're dealing with some real functionality of the bootloader and that may have some consequences so use on your own risk.
Best Regards,
mijoma
----------------------
Edit: Sorry if anyone tried loading it. By mistake I've used addressing from XXJEE. I've changed the name to represent what it was and added a correct file for XXJL2 bootloader

Upload to PC is in combination with Debug Mode higher then Low...
After you see Bluescreen with very interesting infos you can press Button, then Upload to PC on Screen. But I don't know how to catch Data, as no COM Port is visible.
Btw...
Now I know where I made big mistake.
First tests I used XEKC2 Firmware with XXJL2 Bootloader, as I thought its only Bootloader related. Sorry.
My fault.
So there must be more then Bootloader from XXJL2 in handset, to run successfully FOTA Mod2.
About new Mod with Upload, I will investigate this time better, before I'll report.
Thank you.
Best Regards

We need to get this guy a wave to test stuff on! Who wants to donate theirs ha

sabianadmin said:
We need to get this guy a wave to test stuff on! Who wants to donate theirs ha
Click to expand...
Click to collapse
It may have sounded like a joke, but I second that....
He's seems trustworthy and very capable of being sucessful Just like adfree, oleg_k and other guys over there.

I have my paypal account limited but in 1 month I'll b able to donate maybe 20€

Thanks guys, but I don't think it's necessary.
I do it for fun - don't need any other gratification. Wave got me interested with the effort the manufacturer put trying to keep it closed. I don't need a handset to disassemble the bootloader.

The question is more would you like a wave for you're efforts as otherwise you really won't be able to benefit from you're own work when we have meego, android, webOS etc booting on the Wave. Theres no extra pressure, sure you have already done the trickiest part of the work.

No, I'm being completely honest here. I find this rather a weird form of relax than work.
Wave is a nice phone and I think I'm going to get myself one, but I don't expect a gift.

mijoma said:
Wave is a nice phone and I think I'm going to get myself one, but I don't expect a gift.
Click to expand...
Click to collapse
You are a champ, buddy
Good luck !
Sent from my GT-I9003 using XDA App

Related

Trouble with my Asus MyPal A626

Hello!
I recently bricked my MyPal A626. In the last weeks I tried several things but until now I weren't able to figure out how to fix this thing.
I know that you can flash the ROM via the USBLoader.exe over USB. But I need a .nb0 file for this.
Perhaps there is someone in this board who can help me out with this file?
You should be able to dump the rom with the itsutils over RAPI.
http://wiki.xda-developers.com/index.php?pagename=XdaUtils
It should be something like this:
1) pdocread -t
2) pdocread -l
3) pdocread 0x0 xxxxxx nk.nb0
One of the first commands gives you the length of the ROM.
I can't test it by myself because my device is bricked.
Perhaps it would be enough if somebody with an A626 can execute the first and second commands and post the output here.
It would be very great if somebody can help me!
BTW:
I have got a Backup... But the bootloader doesn't want this. It reads everything from USB but it isn't flashed. And I have absolutely no idea why.
I can upload this file to rapidshare if somebody wants to look at it.
I really hate to ressurect an old thread, but I am having the exact same problem. ASUS tech support has been rather less than helpful. They won't provide a NB0 file to end users, nor any fix tools that would work with the encrypted image or anything like that either. They told me I have to RMA the thing after passing me back and forth and giving me the runaround for about an hour or more even. Only, I STILL haven't gotten a response from the RMA department even... The person I tried to do this update for REALLY needs her PDA back already and I find this whole situation to be quite unacceptable. I only had to attempt to use the update in the first place because they made a screweup that makes the SD card inaccessable without reinserting after pressing the power button... A pretty big screwup IMO considering that good PDA practices really requires one to run as much as possible from the SD card for the sake of wasting less resources in a device that already has all too few resources to begin with... (Then again, MS still hasn't caught on to the fact that minimizing rather than closing programs on a device that has so little memory is rather less than ideal, so I guess there's nothing new in that area.) The funniest thing of all is that I wasn't trying to modify it or anything like that, I just did the update right by the manual needing only to get the SD card fix and it STILL went wrong (especially I find it annoying that the update process did a checksum on the update.img file and reported that the file was actually correct, then it fails AFTER completely flashing and doesn't bother to make any kind of recovery.
If anyone could help me out with a NB0 for this thing, I'd REALLY appreciate it. I just want to get it up and running again so she can use her PDA for getting organized as she has been desperately needing for so long.
BTW, should the OP ever read this, I have noticed that if you send the right things, it WILL try to flash. I once sent the update.dat file in the hopes that it might include information needed to make the flash work (it was my hope that the process was a little smart and that it would, therefore, use the DAT file for information on the flash and then include the needed image.) The device actually did make a flash with this file. Of course, the flash obviously didn't work, but the point is that it can do a flash through this method if you send what it's looking for.
GOOGLE this A696_dump_wm5_eng.rar
No good. All two links Google finds are dead (I see two different posts in two different forums, but actually each link to the same links and these are both dead.) I did see a reference to a "A696_dump_wm6_2_eng.rar" but it too is dead. (One of those two forums was this one, I see, surprisingly enough considering that the first thing I did was run a search as is evidenced by finding an old thread -- but then I must admit that I was searching for A626, not A696...) The next closest I can find through this search is a Russian dump for an A636N. I don't have an A636N and I can't read a word of Russian. That link is still alive, but I'm not even going to try it since even if it were actually compatible with the A626 (and I'm betting it's not) it still would be as good as a brick to me still.
But anyway, is the A696 ROM actually directly compatible with an A626 system?
EDIT: I stand corrected! The link for the 6.2 update on the A696 isn't dead after all. When I tried last night it would just spend a REALLY long time trying to load and eventually either time out or produce a database error. When I tried today though, it did sucessfully download. Looks like it does work. Thank goodness because the PDA's owner really needs a working PDA, and ASUS seems rather less than helpful...
Nazo said:
But anyway, is the A696 ROM actually directly compatible with an A626 system?
EDIT: I stand corrected! The link for the 6.2 update on the A696 isn't dead after all. When I tried last night it would just spend a REALLY long time trying to load and eventually either time out or produce a database error. When I tried today though, it did sucessfully download. Looks like it does work. Thank goodness because the PDA's owner really needs a working PDA, and ASUS seems rather less than helpful...
Click to expand...
Click to collapse
626,686,696 are same series.. aka. asus 6x6 or the cannes. if you go to asus website. there is a single rom for these 3 models.
what's the 6.2 update you are talking about ? anyway.. let me know if you still want the 6x6 wm5 dump file. I can upload it to somewhere..
Well, I went ahead and flashed despite worrying about model compatibility. I figured they were the same basic hardware, but I figured that it was always possible that there could be important differences such as memory latencies or such that could make it incompatible perhaps even to the point of danger. But, it's just the software end of things more than anything else, so I figured that it couldn't brick the PDA any worse than it was already bricked and went ahead. As you say though, I have noticed that you are correct that they do use the same ROM for all three models on the official site anyway, so it works 100%.
As for the 6.2, it's in the link I provided to a topic here on this forum. The only other result you'll find on google is just a site in Russian or whatever where they repeat the exact same links for each of the files so you might just as well use this one. It's hosted on MediaFire which was really screwed up when I posted that it was a dead link, but it seems to have recovered and I was able to download that updated ROM from there. I think that you may have to look on the previous page from the link I gave though.
I must say though, I'm glad to have found that one. I HAD to do the update. You see, it was more than just an update to WM6.2. It also included a lot of bugfixes. The most notable being that the system would no longer recognize the SD card after a suspend for a while (or several suspends -- I never was sure just which was the culprit.) Resetting or ejecting and reinserting fixes it, but she was having troubles with this because she isn't exactly the most technosavvy person I have ever known. The SD card dissapearing bug was a fatal flaw because she must load up things such as books and such via SD card and all of it together adds up to well over what can fit safely in internal memory and the file storage combined (but which easily fit an a 2GB SD card) and I needed that update, so if I had to get the WM5 ROM again I'd have to just update again and again as many times as it took to get past the bricking. This way I needed only load up the ROM once and that was it. ASUS really needs to create a tool that can load the encrypted ROM from a PC like HP has done (I've bricked my h1945 PDA while attempting to update it once before and was able to fix it quite easily just as soon as I figured out how to get into the so called "parrot mode.") and such so we don't have to resort to such means to fix them...
Anyway, now I need to get started on loading up all of the stuff she needs.
I just bricked my A363N - WM5.0->6.0 upgrade failed (SD card read error).
Now I'm trying to make it work again.
Russian WM5.0 doesn't work - stops on the calendar screen.
I wonder if I can try to upload update.dat file from the Asus wwe.rar
with SD card inserted and containing Update.img.
Is the update.dat file in .nb0 format ?
Is the A636 actually the same series? If not that post belongs in an appropriate thread instead. If it is, why are you trying to use the Russian update? Just use the plain English one. Here, it's in this post on this site: http://forum.xda-developers.com/showpost.php?p=1495484&postcount=126 I checked and the link is still alive right now.
Yeah, very cool.
I remembered this post 10 minutes ago.
I will try the 696 firmware... Lets see if we can get this ****ing machine running the moon
Meanwhile i tried several things with the update.img file. The "Encryption" is a simple xoring with 0xd0 ^^
But even if you xor the whole file with this value you still don't have a valid nb0. I tried it many times to cut out the firmware with an hex editor on the obvious places in the file (go and see yourself if interested) but all this didn't work.
edit:
It doesn't seem to work for me... The file gets flashed and the device reboots.
After that it still gets stuck at the blue asus screen but it is recognized by the computer as a RNDIS device.
another edit:
WOAH... I tried it again and now it works.
It seems that the battery was empty because of all the previous tries.
Unsuccesfull rom flash
Hello,
I bricked my 696 asus, trying to do un update from the asus site.
Can you tell me some methods to repair it, using the sd card, because the method with usbloader.exe and nk.nb0 is not working ("USB pipe opening error", I tried on several computer and many usb ports).
Also, how can I transform the nk.nb0 flashing image into a *.dio image (I understand the last one can be used to boot and repair automatically from the SD card, it is real???).
10x a lot
Still not working
any new idea to reflash rom foa a696 ?
Hello to you
any news about how to make rom upgrade foa asus a696 ?

Stupid question - are ROM files REALLY ROM files?

Hi. I am relatively new with the PDA scene and as much as I would have loved to read an answer to my question from some other thread instead of starting a new one, I could not do it cos there are none. At least in "idiot's guide" style.
To the question that is stated in the title. As much as I have understood, there are (at least) three storage areas on a device (mine being Vodafone v1520) - the ROM, the EXT ROM and the files that we see on under "My Device" in Explorer. Some of the files have been marked as "ROM" if to look at the properties and those cannot be deleted (at least I haven't found any way) but they can be overwritten (with Resco or smth). The point of my question is that when I overwrite the WELCOME.GIF file (marked as ROM file, it's VF splash screen) it does overwrite it nicely (confirmed) but when I hard reset, it's back. Although I don't understand also why after overwriting I still see the VF logo instead of my own file, that is a separate issue.
The reason I am asking this is that nobody in this forum has been able to answer me how to unlock the EXTROM part on that ASUS P550 that I have. So I thought maybe if I change the STARTER.EXE or GENERALINSTALLER.EXE to something pointless, the EXTROM part won't be installed.
Although I suspect the VF logo is displayed from EXTROM part while booting, cos there is nowhere else that same file in normal storage.
Summary:
1) Does changing files marked as "ROM" really change ROM files or is it until the next hard reset and why?
2) Does anyone know how to unlock and unhide the EXTROM part on ASUS P550?
3) Does anyone know where the VF splash screen comes from while booting?
If anyone has ANY information on these issues, PLEASE enlighten me. It seems that there are a lot of senior members who have the knowledge but are quite unwilling to share it. I don't know why but it seriously sucks that they don't reply to threads or PM. I thought this forum was for helping each other, not giggling behind the screen: "I know something You don't". At least that is the impression that I have recently gained when trying to contact people that have the knowledge.
Thanks.
aiiro
The answer to your "stupid" question - "are ROM files REALLY ROM files" - is NO.
The question is not stupid and the files are really not the files.
Actually you have only the information about the files in ROM - the name, the size and other attributes. That's it.
You are not really overwritting anything when you copy the different file with the same name to ROM.
If you somehow dump the ROM from your device - you'll get real files.
Welcome Gif can permanently be changed only in dump.
Unlocking EXTROM .... I am not sure that I got what you mean. And why do you want to do that. But do the following: with Resco Registry go to
HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\TRUEFFS_DOC2\FATFS
Change MountHidden value from 1 to 0
You will be able to see the EXTROM content.
VF splash screen definitely comes from Windows folder of your device while booting - it's a part of the ROM.
OK, thanks for a quite thorough reply, but I still don't get it then - why does Resco (or similar prog) ask to overwrite the file? OR, if it doesn't overwrite it, how do I see the new file in Windows folder and the prog looking for splash screen file does not?
The EXTROM fascinates me because after hard reset the device is installing some "Auto Installation packages" and as far as I have found out those come from the EXTROM. I suspected that the WELCOME.GIF came from there too but now I am not sure. Might have to dump the ROM somehow and look into it but there are not many people with P550 and like I said those who have, don't have the willingness to help with that.
BTW, thanks also for the tip about the registry, but I have tried all the registry tweaks that I have found (including the abovementioned) but none of the works...
Thanks again and looking forward to Your (or anyone else's) comments.
aiiro said:
OK, thanks for a quite thorough reply, but I still don't get it then - why does Resco (or similar prog) ask to overwrite the file? OR, if it doesn't overwrite it, how do I see the new file in Windows folder and the prog looking for splash screen file does not?
Click to expand...
Click to collapse
Resco has been done like you have!
Try to do the following: copy your own Welcome.gif to Windows folder. You will be prompted to overwrite. Say yes. Then simply delete that file. It will not disappear - the old version of file will become visible again. ROM is not a number of files - it is one file which contains a copy of the data that later will be written (flashing process) straight to a read-only memory chip.
(Pay attention on my words "read-only")
Imagine yourself a wall painted with a hell of 100 dollar bills. You can see them. But you cannot take one of them. You can even glue you own bill upon the drawn one. It will work. But when you wash the wall (hard-reset) - your real paper bill will be washed down and the old painted one will appear (sorry for metaphor)
BTW, thanks also for the tip about the registry, but I have tried all the registry tweaks that I have found (including the abovementioned) but none of the works...
Thanks again and looking forward to Your (or anyone else's) comments.
Click to expand...
Click to collapse
Nothing works probably cause the registry is write-protected. Unlock your registry by changing the following:
HKLM\Security\Policies\Policies\00001001 = 1
HKLM\Security\Policies\Policies\00001005 = 40
But! You would do it with the digitally signed regedit. For example - one is attached. Unzip it to your device, run it, change the security policy settings, reboot. Then try to tweak your Asus again.
The attached regedit has OEM Sign 2005 - hopefully it will work for you.
Thank You for a thorough explanation and especially for the metaphore - it was very helpful.
But about the registry - wow... I mean I haven't even heard of unlocking registry...
As usually, answers are generating new questions. The ones I have now are:
1) How come some of the registry tweaks made with Resco still work even now - like showing the clock instead of battery (changing the TBOpt key) etc and the values are still there after soft reset?
2) Resco is also digitally signed, isn't it?
3) If I use this app, will hard reset still create a clean registry? (The answer to this probably is "yes" but I still ask just to be sure).
4) Can I seriously f**k up something with this method?
Thanks in advance.
But
aiiro said:
... answers are generating new questions. The ones I have now are:
1) How come some of the registry tweaks made with Resco still work even now - like showing the clock instead of battery (changing the TBOpt key) etc and the values are still there after soft reset?
2) Resco is also digitally signed, isn't it?
3) If I use this app, will hard reset still create a clean registry? (The answer to this probably is "yes" but I still ask just to be sure).
4) Can I seriously f**k up something with this method?
Click to expand...
Click to collapse
Read your PM - sure I don't have any subscriptions, but it's OK (I mean PM) - it works.
So:
1. The point is that not the whole registry is write protected - only several "important" parts mostly in HKLM. Normally - if you change someting in HKCU - it will work even with the protected registry. The vendor only protects the keys and values that can cause some "critical" system changes.
2. If to tell the truth - I know that Resco has digital signature - but anyway the permission level of it does not allow you to modify the protected keys. So that's why I offered you to use Regedit, signed with the customizers.
3. For sure - after HardReset you will return to factory defaults completely - it means you registry will again become clean and write-protected.
4. It depends upon what you mean writing "seriously". The worst thing - to damage the bootloader, but you will never do that modifying the registry. So - feel free to do whatever you want - you will always be able to return to factory defaults.
OK, thank You very much for the explanation! I have bookmarked like 200 pages related to PDAs, which means that if even only every 10th page gets bookmarked, I have gone through thousands of pages in 4 months and I haven't stumbled on this information before. So everything You have enlightened me about here is most useful, thanks again!
I hope I will not push it but since You have been so helpful and seem to know stuff, I am risking asking some more questions. First of all, would You happen to know a good "idiot's guide to flashing ROM"? I have read those on the wiki but as they are for HTC devices and asus mobile club russia does not have any basic explanation in English, it's pretty hard to catch the idea. I know that much that there is a PC involved with some kind of programs etc, but that's about it. I don't even know what the hell is a bootloader. There also isn't any good PDA architecture drawings lying around in the net
The second question is also related to hardware. I have the Vodafone v1520 as mentioned above and it has a small annoyance - the earpiece volume adjustment during call does not work. The slider moves and I hear the clicks getting louder or quieter but the volume level of the caller voice does not change. I took it to a repair shop and they told me that it's a faulty hardware but I know that there are people with exactly the same problem in this forum and I find it hard to believe that they installed some kind of faulty earpiece on all these devices. Or is that possible? What do You think?
Thanks.
aiiro
Sorry dude but both your last questions are about the specific device - your Vodafone. To answer - I should buy Asus P550 and get an experience first. It's only 700 bucks in my country but I am not sure that I really wanna have it. My current device (pretty old now) is P525 and the next one will probably be Diamond or something better and more expensive.
Second thing - I am not IT professional - I am just a user. OK, I always use my own (cooked) ROMs but it does not mean that I can give the answers to all your questions!
OK, I knew I was pushing it a little bit and in no way did I mean that You should make some kind of spendings. I just thought maybe You had any ideas and maybe ASUS devices are similar enough that they are compatible ROM-wise with each other or something like that.
Anyway, thanks for those thorough replies - You have been most helpful! As soon as I will have some time I will try the registry things out.
Thanks again and good luck!
try to install this cab file ,I make it .you can QQ me by my QQ:421264988 my E-mail:[email protected]
i'm sorry ,I chinese ,and my English is very poor
安装这个CAB文件试试,我的手机也是P320,安装完解锁成功,但在删除程序里看不到之后安装的程序,欢迎和我交流,我的QQ:421264988 E-mail:[email protected]
对不起,我是中国人,我的英语很差
Modified registry values don't survive reboot?
Try switching the device off before reboot.
The registry is not flushed to disk at every write.
And search the net for
flushing registry pocketpc
Click to expand...
Click to collapse
newxda-new said:
Try switching the device off before reboot.
The registry is not flushed to disk at every write.
And search the net for
Click to expand...
Click to collapse
So if you reset the handheld without putting it into suspend mode before, you risk losing configuration data (registry settings)?

Slyfer - Old Firmware Downloader for Samsung Mobiles

Hello,
i have made a Firmware Downloader that had the availability to download all Samsung Mobile Fimrwares, but since march this year samsung changed the server, and is using a new system for getting the data. However this tool could help someone who maybe find the new way to download firmwares, it has already access to the old server, only the firmwares are all transfered to the neofus server.
It could help someone, maybe, because i am not allowed to do anything here, cause i am new, i will try to support the new developers.
It is developed in C# .net 4 and you will need kies installed, or the fuscryptlib registered, found in the kies folder or in the app folder.
regsvr32 %Path%/fuscrypt.dll
Should i explain that this downloader had the availability to download also android fw and so on? maybe there is someone who can made it.
It was before march the ultimate tool to get every fw from the server. I tried at my own to make a new one, the my developer mentor tried it, we failed due to lack of time.
Just downloaded the "Slyfer300" app. The UI is superb. Just a pity Samsung has changed the server to their firmwares and we cannot use this tool for now. Let's hope and pray someone comes up and lend a hand to complete this wonderful app. So that we can easily download and flash firmwares manually without the need for kies.
I included a screenshot of this superb app below for the eyes only (until it becomes a fully functional app)
The App worked a half year, samsung changed the servers since March 2011, i was before here @badanation.de and developed it in the past. The app was secret and we offered for everyone free Firmwares of their desire, the only rule was only for badanation members.
I puplished it, cause maybe someone here @xda could make it work with the new server that was a cool time when you start the app and you can download any firmware you want.
The old system was based on a PL/SQL query over PHP, i have found a bug in the system and could request the whole Database from the Firmwares, you can see in advanced mode what was possible.
Also user names and their ... was visible, but i newer wonted to damage samsung i always wanted to help other users with the firmware problems we all have.
The new System is a little bit tricky signatures and so on no more php
As i know here was some nice developers @xda that could maybe improve it. Let us see what the feature brings to us.
Hi, nice tool. Unfortunately it's not working with the new servers. I have made a tool that can download the latest firmware from samsungs new servers, but it still requires an old firmware as input. I have not found any way to browse all firmwares like you could on the old server. A lot have chenged in the way you request firmwares and it unfortunately no possible to reuse this tool on the new server.
Yes, it was not simple to find out the right PL/SQL commands for oracle, it was more a doing by trying thing. But as i saw it on keys the listening method still exists on new server, it is the same database, only with a new system. I have done some Kies 2 researches but than give up, cause of lack of time. I had a tool that can download with the new request system.
Only what you need is to pass through the right PL/SQL command, in Kies you find an CarrierTestMode and ServiceCenterMode, one of this two can listen the whole Phonebinary databases, the code is to huge, i havent done a lot since the half year slyfer worked.
Its in a case simply only need to find out the right command, also what is neccessary to find a security whole on new server, on the old server, it was prohibited to execute SQL statements except of predefined calls, but i found a way as you see, it was more an oracle bug, how you can get anyway in and become the whole database information with dictionary commands out, it was at least so easy to get everything out of there. Then i have done some facelifting and made for me an advanced mode to be prepared of changes, but at the near end it doesnt worked any more.
I think you can get in like kies withouth authentification, as before, cause there is no username or password needet if the table is accessable by everyone, its like free to air.
If you need some tips, how i have found out the way in, i can help you. i dont know how to encrypt the new way, but i know that the answer is in the FusCipherUtil.dll it hink it is named so, dont know it exactle, kies is like an open book as you also seems to know.
Forgotten one thing, if you try to send SQL command that listen whole database, then you will get in timeout, cause oracle needs time to collect all the data, i had problems to recieve simple sized calls from it, so you must limit them that you can recieve the data in time everything over an minuete dont works as i remember.
1250 rows around was for my requests the maximum, everything above, througn a server timeout.
larioteo said:
Forgotten one thing, if you try to send SQL command that listen whole database, then you will get in timeout, cause oracle needs time to collect all the data, i had problems to recieve simple sized calls from it, so you must limit them that you can recieve the data in time everything over an minuete dont works as i remember.
1250 rows around was for my requests the maximum, everything above, througn a server timeout.
Click to expand...
Click to collapse
Your program its more power full then CheckFus.
Advanced mode verry great. Verry frustrated, cant use it for now.
hello larioteo are u still working on the new Kies app ?

Features of iROM

What functions does the iROM perform in Samsung's Wave line of devices?
Sent from my DROID2 GLOBAL using XDA App
To be clearer, what roles does iROM fulfill?
Exactly the same as in SGS and Odroid with S5PC110, IROM code is exactly the same, it MAY differ between CPU revisions (there seems to exists 3 hw rev of this SoC CPU, evt0, evt1 and evt1-secure), however it has been not confirmed, and it seems that in all these phones are EVT1 revisions.
iROM functionality is pretty well described in S5PC110 datasheet, also on Xda SGS forum. In "lets save some bricks" you can find iROM dumps from I9000 and S8530 (exactly the same)
It CAN boot from oneNAND flash, MMC flash, UART and USB interface, depending on OM (operating mode) pins settings (there are 5 of such pins) in secure and non-secure boot mode (here iROM code is checking secboot key stored inside of S5PC110, which is set to non-zero in EVT1-SEC revision of CPU, so probably iROM code is the same in both, secure and nonsecure revisions). Altought it has been confirmed for 100% that they are physically pull-upped (2 of these) and pull-downed (3 of these) on S8500 (most likely for I9000 and S8530 also, because mainboard part under AP is basically the same project, slighty modified) with no way to change without soldering/cutting anything on mainboard. It is configuration 01001 if my memory isn't failing, which is forcing iROM to boot from oneNAND in 4k page mode (or something like that, I'm too lazy to look into my notes now, sorry. Again, it all has been described in "Let's save some bricks" thread)
Hope i cleared it for you a bit.
Is the iROM in Samsung Wave devices secure?
What do you mean by 'secure'? You can see the dumps yourself if looking for vulnerabilities.
When I say "secure" I'm talking about the boot ROM and whether or not it performs integrity checks (a.k.a. signature checks) on the first stage bootloader. You can't determine that by looking at the firmware. I know you don't consider that to be too important, but I do.
Sent from my DROID2 GLOBAL using XDA App
It has got code checking BL signature, but it is executed only when it find S5PC110 SECKEY bits nonzero. These seems to be always zero in EVT1 hw revision (EVT1-SEC revision does exists but probably doesn't appear in any Wave nor SGS).
Also it has got code for checking BL checksum stored at the beggining of bootsector (in case of flash memory corruption) but it is in somehow big cascade of ifs, and doesn't appear to be executed always (but may be in fact, haven't dived enough deep to check what are exactly conditions that affect it)
Boot sequence in waves (these have got OM pins hardware pulled down and up, not like Odroid, which has got jumpers to manipulate it) I assume is something like that:
- try to boot from oneNAND (with checksum)
- try to boot from MMC0 interface
- try to boot from UART2 interface
- try to boot from oneNAND (without checksum)
- infinite loop
Consider it as possible assumption only, much more info there: http://forum.xda-developers.com/showthread.php?t=1018862
Master Melab said:
When I say "secure" I'm talking about the boot ROM and whether or not it performs integrity checks (a.k.a. signature checks) on the first stage bootloader. You can't determine that by looking at the firmware.
Click to expand...
Click to collapse
How do you think we determine that? Exactly by looking at the iROM assembly. Why cannot you do that?
The iROM does use processor internal security subsystem, but I had little time to analyze how. Basically, it does have an option of to verify BL1. The BL1 and BL2 do hashing and signature verification before shadowing next bootloader stage if it's enabled in SFR responsible for security.
Rebellos said:
It has got code checking BL signature, but it is executed only when it find S5PC110 SECKEY bits nonzero. These seems to be always zero in EVT1 hw revision (EVT1-SEC revision does exists but probably doesn't appear in any Wave nor SGS).
Also it has got code for checking BL checksum stored at the beggining of bootsector (in case of flash memory corruption) but it is in somehow big cascade of ifs, and doesn't appear to be executed always (but may be in fact, haven't dived enough deep to check what are exactly conditions that affect it)
Boot sequence in waves (these have got OM pins hardware pulled down and up, not like Odroid, which has got jumpers to manipulate it) I assume is something like that:
- try to boot from oneNAND (with checksum)
- try to boot from MMC0 interface
- try to boot from UART2 interface
- try to boot from oneNAND (without checksum)
- infinite loop
Consider it as possible assumption only, much more info there: http://forum.xda-developers.com/showthread.php?t=101886
Click to expand...
Click to collapse
So, if I understand this correctly, the boot ROM/processor inside the Samsung Wave has the capability to perform signature checks, but it is not enabled.
We are not sure about what's on the market. We may speak about individual cases. Still, to load BL, it needs to go through JTAG or BL3 that verifies what is loaded. The vulnerable FOTA capability (still, requires valid firmware with FOTA enabled, all described in the 'FOTA thread') gives some perspectives, but everything low level requires some know-how, effort and patience. Especially the effort part seems unattractive to most of xda users.
So BL1 is very hidden from interaction with external tools and utilities?
What kind of utilities? You may find elf with symbols (yay!) for disassembly in the thread adfree started some time ago. Some stuff there would require SRAM and iRAM dumps (calling functions in iRAM) for the analysis, but dumps are empty on our units (I don't assume unreadable as generally we make dumps with the very same privileges as the calling code).
Never mind. What is AMSS? Is that the radio firmware?
Rebellos said:
It has got code checking BL signature, but it is executed only when it find S5PC110 SECKEY bits nonzero. These seems to be always zero in EVT1 hw revision (EVT1-SEC revision does exists but probably doesn't appear in any Wave nor SGS).
Also it has got code for checking BL checksum stored at the beggining of bootsector (in case of flash memory corruption) but it is in somehow big cascade of ifs, and doesn't appear to be executed always (but may be in fact, haven't dived enough deep to check what are exactly conditions that affect it)
Boot sequence in waves (these have got OM pins hardware pulled down and up, not like Odroid, which has got jumpers to manipulate it) I assume is something like that:
- try to boot from oneNAND (with checksum)
- try to boot from MMC0 interface
- try to boot from UART2 interface
- try to boot from oneNAND (without checksum)
- infinite loop
Consider it as possible assumption only, much more info there: http://forum.xda-developers.com/showthread.php?t=101886
Click to expand...
Click to collapse
I'm sorry Rebellos, but your link does not work. And correct me if I'm wrong, but is the public key in the Hummingbird processor (the S5PC110) the same across all devices that use it? Also, where can I find the documents on the S5PC110 that discuss things like SECKEY, if you have them?
Sent from my DROID2 GLOBAL using XDA App
Master Melab said:
I'm sorry Rebellos, but your link does not work. And correct me if I'm wrong, but is the public key in the Hummingbird processor (the S5PC110) the same across all devices that use it? Also, where can I find the documents on the S5PC110 that discuss things like SECKEY, if you have them?
Sent from my DROID2 GLOBAL using XDA App
Click to expand...
Click to collapse
Oh, sorry. Fixed it:
http://forum.xda-developers.com/showthread.php?t=1018862
And in general you can find much more about this iROM in various threads there
http://forum.xda-developers.com/forumdisplay.php?f=656
midas5 and TheBeano seems to be better informed.
Oh well, its only few KB of code. Just grab it and find answers by yourself.
http://code.google.com/p/badadroid/downloads/detail?name=0x0.0xFFFF.bin&can=2&q=
Does it cpu even have any hardware public key? Don't know about any.
Only very little amount of technical info about secure boot can be found in User Manual for S5PC110_EVT1. It is possible that deeper documentation about it may even not exist and additional info can be obtained only through samsung business tech support directly from their devs (It hasn't been proven that Samsung does use EVT1-SEC version of CPU, so who would...?)
AMSS is radio OS which is being loaded to shared mem by AP and started by DBL (modem bootloader) which is being sent in few parts to CP from AP through UART0 interface and then by oneDRAM share.
IOS (Iphone) on WAVE possible ... ???
I've pondered something similar: swapping out Apple's A4 processor with a Hummingbird processor to bypass SHSH signature checks. Although both being manufactured by the same company may not mean anything, they share the exact same ARM core, according to the teardown by Chipworks. I'm interested in bypassing the hardware aspects of the restrictions that are put on electronics.
But, running iOS on the Wave would be hard. First off, iOS uses an entirely different kernel, XNU. XNU uses Kexts (kernel extensions) as drivers, so you would have find out how to write kernel extensions compatible with ARM. Apple is very locked down about their x86 platform, even more so with iOS, so I don't think you'll get a tutorial on how to write a kernel extension for iOS without a little bribery. Second, there's a lot of other things that you would have to change. If you want to stay sane in getting to run iOS on the Wave you'll need the source code.
Can we collect different ways to dump iROM please.
I'll try to use JTAG (RIFF Box)... and maybe Commands to read this area...
Any usefull hints are welcome... for S8500 without installed Android...
Thanx in advance.
Best Regards
adfree said:
Can we collect different ways to dump iROM please.
I'll try to use JTAG (RIFF Box)... and maybe Commands to read this area...
Any usefull hints are welcome... for S8500 without installed Android...
Thanx in advance.
Best Regards
Click to expand...
Click to collapse
You have to know that iROM has been already dumped from S8500 and S8530 using prepared FOTA code. :d Posted it somewhere I think...
...from S8500 and S8530 using prepared FOTA code. :d Posted it somewhere I think...
Click to expand...
Click to collapse
Dump from S8530 I've found.
But S8500 nor FOTA...
Maybe someone can give me please the Link to FOTA file... then I can try it at home.
Thanx.
No problem if all handsets have equal iROM dump. I will only do it for study self at home.
Best Regards

Uconnect 8.4 ver 17.11.07 trying to "root"

I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
devmihkel said:
For good or for bad NOT everything appears correct, except the running 17.x version... As of now neither the "commercial jailbreak" supports new versions (well yes they were using exactly the same file to start with Also 16.51.x or newer appears to be no go: uconnect-8-4-8-4an-update
EDIT: haven't got 17.09.07 to try, but on 17.11.07 manifest.lua has changed and the last block/ search keyword is "ota_update" instead. Otherwise all the same, image valid after the edit and script.sh gets fired - at least on 16.33.29 that is @HanJ67 Did you actually try to mount installer.iso after the edit and checked /etc/manifest.lua for the end result before?
Click to expand...
Click to collapse
devmihkel said:
Yeah, 2nd attempt is much better as last lua block is correctly terminated and your script might actually run, but unfortunately no successful 17.x runs have been reported so far SWF scripts are not involved in update/jail-breaking run, these ones become relevant only once you are in (and need to enable some app or wifi or navi features etc). Afaik 17.x blocks ethernet dongle usage as well, but let's see if even the USB driver/link gets activated at all?
Click to expand...
Click to collapse
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Do You have an idea how to connect by USB2LAN adapter to uConnect ?
Do You know if there is an UART pins on the mainboard ?
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
Hello, any news about it?
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
sofro1988 said:
Hello, any news about it?
Click to expand...
Click to collapse
I have not had had much time to work on this.
I actually had an idea last week that brought me back to this. I plan to use a custom flash drive to present an unmodified ISO for verification, then swap nand to an identical image that has been he's edited to enable usb Ethernet and add a custom key for ssh access.
I thought to stack a NAND on top of the original on a is flash drive, then breakout the Chip Enable pin to a switch. I've seen this done for with guys modifying game consoles to be able to run modified firmware.
Once the 2nd NAND is in place I will restore an image of the original nand containing the unmodified update, then hex edit the required portions to allow access after updating.
If this method works, I should be able to pass the verification with the original nand chip, then switch it (hopefully there's a big enough window to do this by hand) then present the modified nand before it begins the flash procedure.
Hopefully someone more intimately familiar with the update scripts can verify I'm not missing anything in the process
Tajadela said:
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
Click to expand...
Click to collapse
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
thanks for answer.
I saw an ssh key with the hex editor, but I would like to see exactly what you have replaced.
if it's not too much trouble, it would be interesting to see with some screenshots the changes you've made.
So we could work on two fronts. The idea of the double nand is good, but not very simple to make ...
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
SquithyX said:
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
Click to expand...
Click to collapse
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
martinbogo1 said:
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
Click to expand...
Click to collapse
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
sofro1988 said:
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
I managed to connect with the cisco adapter (usb / ethernet), but I don't know the root password. is the problem at the moment insurmountable ..
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
martinbogo1 said:
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
Click to expand...
Click to collapse
I connected in telnet on a uconnect 6.5 with firmware 15.xx.xx. You can connect to Uconnect with static IP it brings up if no DHCP is offered is: 192.168.6.1
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
after rsa key replaced, do you have recalculate the checksum of UPD file?
have you replaced the first 64 bytes of the file?
thanks
@itsJRod, isn't it that you would like to explain the procedure to replace the RSA key in the swdl file? thank you
Hello,
have you made any progress? I am a bit lost. I put the EU uconnect MY15 to US dodge charger MY16 and Perf Pages were working fine even on 16.16.13, although after upgrade to 17.x (17.46.0.1 right now) I am meeting the problem of expired subscription (which is not possible to have on EU radio).
I am considering basically three solutions:
a) going back to US radio, but modify the language pack/nav/FM frequencies (it is doable, but I do not know how, although I can pay for it relatively less than time invested)
b) downgrade to 16.16.13 - I have no clue how to do it, I tried to put swdl.upd with swdl.iso as and installer.iso with no luck of course.
c) take xlets from KIM2/ of 16.16.13 to KIM23 of 17.46.0.1 secondary.iso - this is probably preferred way but I do not know how to make it to pass ISO validation.
Of course root on uconnect is extremely nice to have but I will be fully satisfied with Perf Pages working again.
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
djmjr77 said:
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
Click to expand...
Click to collapse
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
I created an account just to reply to this and All I have to say is you're literally an absolute life saver. I've been working on this every day for two weeks now, trying every trick people said, trying every USB, every format, every version and nothing ever worked from me. Uconnect support was absolutely no help and it was a lot of back-and-forth finger pointing and no you need to reach out to this person between them and the dealership. Dealership tried to charge me for a Proxy Alignment when I asked to just update my damn radio stuck in this loop.
I have a 2015 Jeep Cherokee 8.4AN VP4 NA Head Unit 68238619AJ. I was updating from 17.11.07 to 18.45.01 and got stuck at the step 11 1% and would get a failed sierra wireless every time and then got in that "bolo update failed" loop..Well to fix it just now all I did was download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in the previous comment and quick format to FAT32 on a 16GB Micro Center USB extracted the files from 16.33.29 to the USB with 7ZIP, plugged in like normal and BOOM it ran the first step restarted and I had a working radio again showing update 18.45.01.
(So i'm assuming you don't have to do the S Byte thing I didn't even mess with it I just used the 16.33.29 to bypass step 11 since that version only has 14 steps and 18.45.01 was already preloaded from attempting before. My navigation still is the wrong address but I don't care about all that just thankful to have my radio back before my wife killed me for trying to update it by myself. )
I hope this helps someone else one day because it took some deep research and hours on hours of forum hoping to finally find the solution. <3
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
Do you have another link to download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe files? I am trying to help a friend of mine they way this helped me. Thank you again for this!

Categories

Resources