[TOOL] rkDumper (utility for backup firmware of RockChip's devices) - Upgrading, Modifying and Unlocking

rkDumper
Utility for backup firmware of RockChip's devices
Version 1.1.1.0 Windows
1. Makes dump of NAND by partitions according "parameter" information (RKFW/RKAF formats)
2. Creates config.cfg for RKAndroidTool (1.xx, 2.xx)
Notes:
1. All drivers must be installed
2. Administrator rights are required
Known bugs:
-
Old versions:
View attachment rkDumper_091.zip
View attachment rkDumper_092.zip
View attachment rkDumper_093.zip (604)
View attachment rkDumper_094.zip (1810)
View attachment rkDumper_095.zip (226)
View attachment rkDumper_100.zip (1480)
View attachment rkDumper_101.zip (716)
View attachment rkDumper_102.zip (4400)
View attachment rkDumper_103.zip (792)
View attachment rkDumper_104.zip (2630)
View attachment rkDumper_105.zip (3812)
View attachment rkDumper_106.zip (8948)
View attachment rkDumper_107.zip (426)
View attachment rkDumper_108.zip
View attachment rkDumper_1.1.0.0.zip

Tested on:
WinXP (32), WinVista (32), Win7 (32/64), Win10 (64)
0bb4:2910 MSC device (USB debug off)
0bb4:0c02 MSC device (USB debug on)
2207:0000 MSC device (USB debug off)
2207:0010 MSC device (USB debug on)
2207:350A RK3566 x88 Pro
2207:330D RK3308/RK3326/RK3388/PX30 Evoo EV-A-81-8-1
2207:330C RK3399/PX6 CSA96
2207:330A RK3368/PX5 Artway X6/HCT MTCD (Car head unit) SOM
2207:320C RK3318/RK3328/PX4 A5X Plus mini
2207:320B RK3229 MXQ 4K
2207:320A RK3288 Jesurun T034
2207:310D RK3126 Proscan PLT9650G
2207:310C RK3128 CS918-rk3128
2207:310B RK3188/PX3 PIPO Max M9 Pro
2207:301A RK3036 Wecast E8
2207:300B RK3168 Starmobile Engage7+
2207:300A RK3066/PX2 UG802
2207:292C RK3026/RK3028 ONYX BOOX C67SML COLUMBUS/?
2207:292A RK2928 Lexibook Tablet Master 2
2207:290A RK2906 TeXeT TB-138
2207:281A RK2818 ChinaLeap M3
If you have another Rockchip SoC send me result of "rkDumper scan" and name of device. I'II send you personal version for test

rkDumper
Utility for backup firmware of RockChip's devices
New version (0.92 Windows) ready
! pre-Release #2;
~ "4GB" bug fixed;
+ support of "USB debug on" mode added;
+ support of RK3026 added;
+ support of RK2906 added;
+ support of VID=0bb4 (HTC? Rockchip devices) added.

Hello,
I have run your utility, but the file sizes of the output differ compared to when I use rktool 2.1 (with finless instructions).
Here's the scan..
Code:
C:\temp\1>rkDumper.exe scan
rkDumper (version 0.92)
Utility for Rockchip's firmware backup
(c) RedScorpio, Moscow, 2014
[email protected]
==========================[ START ]==========================
-- Devices emumerating --
Devices table (found 8 USB devices):
1 Device #0: USB Root Hub
2 Device #1: USB Root Hub
3 Device #2: USB Root Hub
4 Device #3: USB Root Hub
4.1 Device #4: BT-253
VID = 0x0b05, PID = 0xb700
5 Device #5: USB Root Hub
5.2 Device #6: USB Composite Device
VID = 0x2207, PID = 0x0010
Disk #1
5.8 Device #7: USB Composite Device
VID = 0x04f2, PID = 0xb071
==========================[ STOP ]==========================
Thank you.

nevoz said:
I have run your utility, but the file sizes of the output differ compared to when I use rktool 2.1 (with finless instructions).
Click to expand...
Click to collapse
Some types of files have own length in header. This information used for cutting (real size, not whole partition)

here's is mine.
C:\RKDumper>rkdumper scan
rkDumper (version 0.92)
Utility for Rockchip's firmware backup
(c) RedScorpio, Moscow, 2014
[email protected]
==========================[ START ]==========================
-- Devices emumerating --
Devices table (found 7 USB devices):
1 Device #0: USB Root Hub
1.1 Device #1: USB Hub
VID = 0x8087, PID = 0x0024
1.1.1 Device #2: XBOX 360 Controller For Windows
VID = 0x045e, PID = 0x028e
1.1.2 Device #3: Rockusb Device
VID = 0x2207, PID = 0x300b
1.1.4 Device #4: USB Composite Device
VID = 0x09da, PID = 0x90a0
2 Device #5: USB Root Hub
2.1 Device #6: USB Hub
VID = 0x8087, PID = 0x0024
==========================[ STOP ]==========================

wertzPH said:
here's is mine
Click to expand...
Click to collapse
Please tell me the name of the device and the name of SoC

RedScorpioXDA said:
Please tell me the name of the device and the name of SoC
Click to expand...
Click to collapse
thanks for the reply
Starmobile Engage7+, its advertised as RK3066 based on cpu-z, but the loader is rk3168.

wertzPH said:
Starmobile Engage7+, its advertised as RK3066 based on cpu-z, but the loader is rk3168.
Click to expand...
Click to collapse
You can find link to personal version in "Private Messages". I'll wait your report

rkDumper
Utility for backup firmware of RockChip's devices
New version (0.93 Windows) ready
! pre-Release #3;
+ support of RK3168 added;
+ administrator's rights checking added.

rkDumper (version 0.93)
Utility for Rockchip's firmware backup
(c) RedScorpio, Moscow, 2014
[email protected]
==========================[ START ]==========================
-- Devices enumerating --
Devices table (found 10 USB devices):
1 Device #0: USB Root Hub
1.1 Device #1: USB Composite Device
VID = 0x045e, PID = 0x00db
1.2 Device #2: USB Input Device
VID = 0x046d, PID = 0xc05a
2 Device #3: USB Root Hub
3 Device #4: USB Root Hub
3.5 Device #5: Rockusb Device
VID = 0x2207, PID = 0x292c
4 Device #6: USB Root Hub
5 Device #7: USB Root Hub
6 Device #8: USB Root Hub
7 Device #9: USB Root Hub
==========================[ STOP ]==========================
this is mine, and when I try to do "dump" I get:
rkDumper (version 0.93)
Utility for Rockchip's firmware backup
(c) RedScorpio, Moscow, 2014
[email protected]
==========================[ START ]==========================
--- Firmware dumping ---
The utility requires administrator rights
==========================[ STOP ]==========================
I am an administrator, and the device is a RK3026
also, is there a way to dump the loader of these tablets?
Thanks

niabi said:
I am an administrator, and the device is a RK3026
Click to expand...
Click to collapse
Do you run tool as administrator (Ctrl+Shift+Enter on cmd string)? Try to use /admin key
niabi said:
also, is there a way to dump the loader of these tablets?
Click to expand...
Click to collapse
No. But sometime you can found loader in backup.img partition (use imgRePackerRK)

Kudos to RedScorpio!
Great work RedScorpio!
It never hasn't be that easy to create a dump for rockchip devices!
But I still see some room for improvements and also have some questions:
Can I create a full dump of a device including the user partition? I appreciate to create full dumps - so I can play with my devicesm flash different firmwares and finally I'm able to restore everything to the former state - in case it's not possible to create a full dump at the moment it would be great if you could add it!
Another great addition would be if you could simplify the installation of the drivers in windows 8.1 - please take a look at this post: http://forum.xda-developers.com/showpost.php?p=55529498&postcount=56
Basically Microsoft decided to change the behaviour of the usb stack in windows 8.1 and so it's not possible to install the rockchip driver that easily - you need to figure out 3 details of your device and create an exception-rule in the windows registry so your device is handled as it has been with the previous usb stack.
To create this registry key you'll need VID, PID and REV from the usb device - maybe you can display REV also in your output of 'scan' ? (windows device manager don't even display those details...)
Finally it would be great if you could create this registry key automatically (or with another command) in case you notice that the os is windows 8.1 and the device isn't recognized properly - in my case I'll get the following output when I connect my rockchip device without the registry entry:
C:\Users\roland\Desktop\Rockchip Tools\rkDumper_093>rkDumper.exe scan
rkDumper (version 0.93)
Utility for Rockchip's firmware backup
(c) RedScorpio, Moscow, 2014
[email protected]
==========================[ START ]==========================
-- Devices enumerating --
Devices table (found 11 USB devices):
1 Device #0: USB Root Hub
1.1 Device #1: USB Hub
VID = 0x8087, PID = 0x8009
2 Device #2: USB Root Hub
2.4 Device #3: USB Hub
VID = 0x0424, PID = 0x2514
2.4.1 Device #4: USB-Eingabegerät
VID = 0x1bcf, PID = 0x0005
2.4.2 Device #5: USB-Verbundgerät
VID = 0x045e, PID = 0x00db
2.11 Device #6: Unbekanntes USB-Gerät (Fehler beim Anfordern einer Gerätebeschreibung.)
VID = 0x2207, PID = 0x290a
2.14 Device #7: USB-Verbundgerät
VID = 0x041e, PID = 0x30df
2.15 Device #8:
3 Device #9: USB Root Hub
3.1 Device #10: USB Hub
VID = 0x8087, PID = 0x8001
==========================[ STOP ]==========================
I've also attached my debug-log so you can check how to identify a blocked device - the hardware id is displayed as 'USB\DEVICE_DESCRIPTOR_FAILURE' in device manager in windows.
After creating the registry key as explained in the linked post above everything is working fine in windows 8.1, the drivers get installed and I can create a dump with your tool :good:
Finally it would great if you could add an automatic request for administrative permissions in your application - I think this would simplify the execution a little bit more.
Keep up the good work!

nalor said:
Can I create a full dump of a device including the user partition?
Click to expand...
Click to collapse
I still can't find a simple method of determining the full size of the NAND (it need to count user partition size)
nalor said:
To create this registry key you'll need VID, PID and REV from the usb device - maybe you can display REV also in your output of 'scan' ?
Click to expand...
Click to collapse
I have used USB_DEVICE_DESCRIPTOR for detection VID and PID:
Code:
typedef struct _USB_DEVICE_DESCRIPTOR {
UCHAR bLength;
UCHAR bDescriptorType;
USHORT bcdUSB;
UCHAR bDeviceClass;
UCHAR bDeviceSubClass;
UCHAR bDeviceProtocol;
UCHAR bMaxPacketSize0;
USHORT idVendor;
USHORT idProduct;
USHORT bcdDevice;
UCHAR iManufacturer;
UCHAR iProduct;
UCHAR iSerialNumber;
UCHAR bNumConfigurations;
} USB_DEVICE_DESCRIPTOR, *PUSB_DEVICE_DESCRIPTOR;
So what is revision in this structure?
nalor said:
Finally it would great if you could add an automatic request for administrative permissions in your application
Click to expand...
Click to collapse
Sorry, I'm not a programmer. I can't find example for C (CodeBlocks + gcc)

RedScorpioXDA said:
So what is revision in this structure?
Click to expand...
Click to collapse
Solved. Revision detection will be added into new version

rkDumper
Utility for backup firmware of RockChip's devices
New version (0.94 Windows) ready
! pre-Release #4;
+ support of RK3288 added;
+ manifest file added;
+ detection of device revision added;
~ administrator's rights checking algorithm changed.

rkDumper
Utility for backup firmware of RockChip's devices
New version (0.95 Windows) ready
! pre-Release #5;
+ support of RK3128 added;
+ /user key added;
+ ROM size/vendor/ID determinetion added ("info" command);
~ bug of incorrect determination of disks in multi-CD systems fixed.

Just thank you !

rkDumper
Utility for backup firmware of RockChip's devices
New version (1.00 Windows) ready
! Release;
+ /incl key added;
+ /excl key added;
~ some algorithms improved.

Hello, one question, is possible to use this tool with Rockchip/Intel sofia platform? Thanks in advance

Related

bad_pool_header crash with WM5 upgrade

I upgraded my XDA Exec with the new ROM 1.30.162 WWE and Activesync 4.1 but each time I sync, I get a "bad_pool_header" error on a blue background which crashes my machine.
I installed Activesync 4.1 on another laptop to check if this problem was due to drivers etc on my main laptop, and discovered that the device syncs with no problems. There is, therefore, a conflict between the new Activesync 4.1 or the new ROM, and something on my main laptop.
Has anyone come across this problem?
Thanks
The problem is definitely on your PC. Reinstall motherboard drivers, reflash bios, remove antivirus, reinstall windows, etc.
Thanks - pretty drastic...!
Is there a short cut? ie reinstalling drivers one by one? If so, which are likely to be the main culprits? Motherboard? Broadband modem? etc
The error code after reboot of the laptop is:
BC code 19 BCP1:00000020 BCP2: 89A76000 BCP3: 89A766C0 BCP4: 0AD8000
OS Ver 5_1_2600 SP: 2_0 Product 256_1
\WER22c7.dir00\Mini052506-06.dmp
\WER22c7.dir00\sysdata.xml
Does this reveal anything that could explain which driver?
Thanks
10860 said:
Does this reveal anything that could explain which driver?
Click to expand...
Click to collapse
no.
You should create a complete crash dump, and use microsoft debugging tools to find faulting driver. Or better reinstall windows.
I looked at the minidump file and used MS debugger, the readout is below. I am not sure if I did the debugging ok, or how to interpret it. Anything useful in the readout?
Thanks
Loading Dump File [C:\Mini052406-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Wed May 24 20:25:34.038 2006 (GMT+1)
System Uptime: 0 days 0:52:32.633
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
.......................................................................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 19, {20, 88187000, 881876c0, ad80000}
Probably caused by : Unknown_Image ( nt!KeBugCheck2+4d4 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 88187000, The pool entry we were looking for within the page.
Arg3: 881876c0, The next pool entry.
Arg4: 0ad80000, (reserved)
Debugging Details:
------------------
BUGCHECK_STR: 0x19_20
POOL_ADDRESS: 88187000
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 00000000 to 8053331e
STACK_TEXT:
f78cab74 00000000 00000000 00000000 00000000 nt!KeBugCheck2+0x4d4
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KeBugCheck2+4d4
8053331e ?? ???
FAULTING_SOURCE_CODE:
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!KeBugCheck2+4d4
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
BUCKET_ID: ZEROED_STACK
MODULE_NAME: Unknown_Module
Followup: MachineOwner
---------
Nothing useful, minidump does not have enough information
It is very difficult to debug pool corruptions.

[UTIL] QC Mobile Analysis Tool - Universal tool for QC mobile analysis (and HTC too)

QMAT - QC Mobile Analysis Tool
What is it ?
It is a development and debugging tool for Qualcomm mobiles - the only tool you'll ever need for research and development.
Who may need it ?
Mobile engineers / reverse engineers and cryptoanalysts
Crypto Functions :
- Calculate CRC-30, CRC-32, SHA1, SHA2 (SHA224 + SHA256), MD4 and MD5 of any file
- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited
- Decrypt and Encrypt any RSA-Message, including ASN-1 / SHA Signatures. (you can add publickeys to publickeys.xml)
- Generate RSA Private Key and create .pvk files
- Check firmware signature given Modulus and Exponent (for HTC and BQS mobiles)
- Extract information from .pvk files
- Search for algorithms in binary files (find cryptomethods + signatures) CRC8, CRC16, CRC32, MD4, MD5, SHARK, HAVAL, GZIP, ZIP, SHA1, ... and much more (you can add cryptosignatures to crypto.xml)
JTAG Interface :
(soon via Segger J-Link)
Functions for QC mobiles :
1. Load binary files for :
Extraction of certificates
Extraction of BMPs,GIFs,PNGs, JPGs
2. Load Partition File to get overview about NAND/NOR structure
3. Send any String to a COM/USB Port and backup all your SMS !
4. Make usage of QCs Diag USB/COM Port Interface
(Useful for any QC mobile in the world)
Standard Features :
- Send standard diag commands or any hexadecimal command you want (database included)
- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)
- Backup and Restore all NVItems
- Read out and Dump Firmware in Memory (SRam)
- Read out complete EFS
- Switch to FTM Mode (or anything else you want)
- Get infos about phone, codes ..... etc ..... a lot more functions
- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)
- Full Feature EFS Browser
Bootloader / DownloadMode Features :
- Load any file to mobile at any address and execute (bootloader f.e.)
- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader
- Use any Download Mode or Bootloader Command to experiment
- Read application memory of newer Diag Ver 6 in Download Mode
- Show complete infos about used NAND after loading of Bootloader
Flasher Features :
Flash any QC mobile (OBL Multiboot) with given bootloader
- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS
Functions for BQS only :
1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91 or similiar ones)
Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract AMSS signature bytes (if production key)
Show all file references used by mobile
2. Check Firmware validity (signature)
3. Sim_Secure extraction/decryption (non-public)
4. Master-/Usercode/Unlock extraction and direct unlock (non-public)
Functions for HTC only :
1. Check validity of HTC firmware (signature check)
2. Cut out signatures from .nbh file
3. Split radio.nb into qualcomm files for analysis
4. Find HTC Public keys using Cryptosearch
5. Generate Security passwords (SPL + radio) for newer HTC
6. Generate NBH Files (you can add any device into devlist.xml)
7. Dump Files from NBH (you can add any type into nbhtype.xml)
8. Fix radio.nb checksum
9. Generic Bootloader / AT Command interface with logging functions
Functions for Network Engineers
Network Calculators :
TDMA (GSM/UMTS) :
--------------------
IMEI
GSM A5-1
GSM A5-2
GSM A5-3
3G ECSD
GEA3 - GPRS
3G SNOW
3G UEA2
3G UIA2
GSM A3/A8 COMP128 V1
GSM A3/A8 COMP128 V2
GSM A3/A8 COMP128 V3
3G Milenage
3G Milenage Resync
CDMA :
-------
CAVE
CAVE Authentication
CAVE CMEA
CAVE EMEA
CAVE EMEA_NF
CAVE Wireless Residential Extension
CAVE Datakey / Look Up Table / Mask
CAVE DTC / DCCH
CAVE KSG
CAVE Long Block
CAVE Short Block
CAVE Enhanced Message
CAVE Enhanced Voice Privacy
CAVE Enhanced Data Mask
and much more ....
Planned in future :
1. Bugfixes
2. EFS Restore to Zip File
3. QC Jtag interface using Segger J-Link ARM
4. LNBS HTC support to replace MTTY 5. Tooltips showing real addresses in graphical window
5. CDMA Write functions
6. Read out / Write back Addressbook
7. Restore backupped SMS to phone
8. much much more
NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.
What we need :
- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.
Link to the project files :
------------------------
Version 4.21 (Major Release) Stable
QMAT Homepage
Cya and keep on reversing,
Viper BJK
==> Donate via PayPal <==
Thanks, that's very useful. Keep up the good work!
Update : Version 3.51
---------------------
- Crypto Bugfixes solved
- Com Port Bugfixes solved
Added QMAT 3.51 manual to download page
Cya,
Viper BJK
Update : 3.52
-------------
What's new ?
1. Added SHA2 crypto search algos (SHA224 and SHA256)
2. Added SHA2 (SHA224 and SHA256) and MD5 hash generation
3. Some Bugfixes
4. HTC Security Generator for all newer HTC models (reverse genned) :
SPL and radio (works with Diamond !!)
Note : For Copy'n'Paste .. do not use MTTY, but Putty !!!
See new manual for further details ....
Enjoy !
Cya,
Viper BJK
nice one..!
Thanks
New version : 3.54
------------------
Updates :
- Added SHA-256 from HTC
- Improved RSA Decryption ... now better readable
- Added function to reverse byte strings for RSA Decryption
- Bugfixes
Cya,
Viper BJK
Update:
Small SHA2 bugfix
Good information. thanks
New version : 3.6
------------------
Updates :
- Added NBH Generator Tool
=> you can add any device to devlist.xml
=> you can sign rom files either using pvk file or using dummy signature
- Added NBH Dump Tool
=> Remove Signatures function or
=> Extract any part you wish or
=> Extract all files from nbh
=> Show infos about nbh file
=> Add new deviceparts (typeinfo) to nbhtype.xml
- Added publickeys as XML
=> add any public key to publickeys.xml
- Added tool to fix radio.nb checksum
Bugfixes :
- Fixed NBH Signature extraction
- Fixed RSA Function
For the design of NBH Tools, I was strictly influenced by Olipro's work
Cya,
Viper BJK
This is a real work....!!!!
thx for this great program
Update : 3.61
-------------
What is new ?
-------------
After being fed up with buggy Putty + Mtty, I implemented
HTC Bootloader AT Command Interface. (see picture below)
Also I was missing a good copy paste function for my hex editor.
Why wasn't it working before ?
=> HTC Bootloader isn't able to take more than one byte sent.
So :
- Implemented HTC Bootloader AT Command Tool (works also for other ones)
- Several severe bugfixes (like Display fixes)
- Fixed RSA Decryption bug (Pubkeys loaded incorrectly from xml)
What will be next ?
------------------
As I'm a Vista user (sic!) I also use the really old Activesync driver.
But this one lacks of high-speed transfer, so I'm going to implement a solution
for newer HTC phones and newer OS, as Micros*** changed to WinUSB Interface (which is better imho than virtual com port).
So :
- Will implement REAL Usb interface, no virtual serial port use
Cya,
Viper BJK
Small update :
--------------
WinUSB is now fully implemented !
It really works like a charm, much faster than putty or mtty, and really stable.
mb command runs like hell
Even better, you can break off USB connection and continue seconds after reading out bytes .... this is big news
So ... Vista Users, use new WMDC drivers, forget about old activesync one.
And as for the XP users, download WinUSB runtimes now
Bad to say, but of course WinUSB won't work with old activesync.
I'm going to implement now a logfunction for binary data, so it can be used with pdump. Once I understand how "autodownload" works, I will implement it also so that my tool can replace mtty.
If there are any wishes what should be implemented, say so
Of course I will open source for WinUSB connection for those who want to port their tools.
Cya,
Viper BJK
Update 3.70
------------
What is new ?
--------------
- Big bugfixes
- Added new WinUSB and Serial Interface for HTC Bootloader (with binary log AND pdump support)
- Added partition tool to show MORE info
- Complete new Serial interface
- Added feature to use different bootloader commands for nand reading
- Added feature to read different sizes for nand reading
- Fixed radio.nb extraction
- Fixed radio.nb checksum calculation
- etc. ..... see Manual 3.7 for complete introduction
Cya,
Viper BJK
Update 3.71
------------
Sorry for that one ... WinUSB didn't work due to memory leak.
Fixed ....
Cya,
Viper BJK
Update 3.72
------------
What's new ?
-------------
- Included HTC Security Decoder in AT Command Interface
(easier to use)
- Fixed USB / SER Problems
- HTCE/HTCS were not displayed correctly
- Fixed Display Scroll Problems in AT Command Interface
Enjoy !
Cya,
Viper BJK
Update 3.73 *Speed release !*
------------
As someone really needed this func, the following was added :
- htc at command interface bytelog can now be any filename (select log file)
- You can send any data to encapsulate, for example you want to send bytes 0x00 0x01 0x02 and 0x03 .... enter "00010203", press encap button and
bytes will be send using correct HTC "HTCS....HTCE" encap
Cya,
Viper BJK
- removed -
Update 3.74 *Special Edition for CMonex*
------------------------------------------
News :
- Added function to upload files in encapsulated header
- Bugfixes
Cya,
Viper BJK
News :
-------
3.74 has a lot of bugs in it, so sorry for that.
Download of my tool is atm not possible, I'm looking for another hoster.
New version 3.75 will be soon out, adding several bugfixes and nvitems support for HTC. Also, beginning with 3.75, my software will be shareware.
People that already donated 15 EUR will of course get source and registration key as usual for free.
Expect news soon.
Cya,
Viper BJK
ThanX Alot for this GREAT Tool !
Keep up your Good Work !
Is it possible to upload this tool on the board ? I have a forbidden acces to the google code page ... :'(

Running Homebrew Native Executables - Status: DONE!!

[2012/06/03] IMPORTANT UPDATE HERE
Hi hackers,
This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.
The goal is to run native homebrew executables on WP7
This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.
The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.
First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
- CA
- Root
- My
- Code Integrity
After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:
Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)
So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.
I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.
I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).
I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.
So why is this not working?
Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:
Code:
Microsoft Mobile Device Privileged PCA - ced778d7bb4cb41d26c40328cc9c0397926b4eea - not used in this context
Microsoft Mobile Device TCB PCA - 88bcaec267ef8b366c6e6215ac4028e7a1be2deb - honored by System Identity Group
Microsoft Mobile Device Unprivileged PCA - 1c8229f5c8d6e256bdcb427cc5521ec2f8ff011a - honored by Standard Right Identity Group
Microsoft Mobile Device VSD PCA - 91b318116f8897d2860733fdf757b93345373574 - not used in this context
VeriSign Mobile Root Authority for Microsoft - 069dbcca9590d1b5ed7c73de65795348e58d4ae3 - honored by LPC Identity Group
I should find a way to add a policy with my certificate in it. Any ideas?
Ciao,
Heathcliff74
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Flow WP7 said:
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Click to expand...
Click to collapse
That's a good idea. I must say that I don't have much faith in the current RecMod tools for WP7 right now. I am able to get the binaries recmodded so that I can disassemble them correctly. But I don't think they can be easily launched. But there are executables that are on the rom as complete binaries, instead of rom-modules. To begin with, I have to select one that does not need much privileges to run and try to sign that one and then run it.
I'm really busy with work right now, so I think I won't be able to try it until the day after tomorrow. But I will try it and will let know how that went.
Thanks!
Decompiled taskhost.exe, so it gets more easy for us to see if its able to make taskhost to start another exe for us. Lots of code tho (C code).
taskhost.c (276 KB) in attachments.
edit: Oh, WOW, this really shows how to call those anonymous methods without call signature "Hello" (signature: "??z_Hello_?mze")
Hmm, pretty much about the pause part?
Code:
if ( v10 )
{
a7 = sub_178E7(v10);
if ( a7 >= 0 )
{
a7 = sub_180A5(v7, v7 + 64);
if ( a7 >= 0 )
{
a7 = ThemeInitialize(v7 + 136);
if ( a7 >= 0 )
{
v11 = sub_1862B(v13, v7);
EnableHostAutoDehydration(v11 == 3);
v16 = 0;
a7 = InitializeEmClientEx(&a2, 0, &v16);
if ( a7 >= 0 )
{
a7 = RegisterPausedHostCallback(sub_19D0D, 0);
if ( a7 >= 0 )
{
a7 = RegisterResumingHostCallback(sub_19D31, 0);
if ( a7 >= 0 )
{
if ( v11 != 3
|| (a7 = RegisterDehydrateHostCallback(sub_19D76, 0), a7 >= 0)
&& (a7 = RegisterFreezeHostCallback(sub_19D97, 0), a7 >= 0) )
{
a7 = RegisterExitHostCallback(sub_19D55, 0);
if ( a7 >= 0 )
a7 = sub_17C0A(*(_DWORD *)(v7 + 128), 0);
}
}
}
}
}
}
}
}
UIX framework entry-point (exe)
Code:
int __cdecl sub_11114(int a1, int a2, int a3)
{
int v4; // [sp+0h] [bp-38h]@1
char Dst; // [sp+4h] [bp-34h]@1
int v6; // [sp+8h] [bp-30h]@1
int v7; // [sp+Ch] [bp-2Ch]@1
int v8; // [sp+18h] [bp-20h]@1
int v9; // [sp+28h] [bp-10h]@1
v4 = 0;
memset(&Dst, 0, 0x34u);
v8 = a3;
v6 = (int)L"res://FlightModeUXDLL!FlightMode.uix";
v7 = (int)L"FMMain";
v9 = 2;
RunApplication(&v4);
return dword_12034;
}
C++ converted
Code:
UIXApplicationInfo app;
app { ... }
RunApplication(&app);
struct UIXApplicationInfo
{
int UNK_v4 = 0;
char Dst = {0};
char* uixFile;
char* uixEntryPoint;
int UNK_v8;
int UNK_v9 = 2;
}
Then just figure out the UIX part (or test the existing "res://FlightModeUXDLL!FlightMode.uix" if it launches, if so, we made it).
___
Found this in mango dump:
> Uninstall provxml
Code:
<!-- Uninstall Xbox LIVE Extras App -->
<characteristic type="AppInstall">
<nocharacteristic type="{0c17d153-b5d5-df11-a844-00237de2db9e}"/>
</characteristic>
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
athompson said:
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
Click to expand...
Click to collapse
Hello "co-founder of native code on WP7"
I'm fully aware of the possibility of native code through COM. I use it for example in the WP7 Root Tools. But I just wanted to take it a step further. Running native executables give a lot more freedom. Not being bound to the watchdog, getting higher privileges and running in the background for instance. But there's a whole lot more. So that's why I started research on it. Thanks anyway. You helped making native code possible on WP7.
Ciao,
Heathcliff74
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
fiinix said:
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
Click to expand...
Click to collapse
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Heathcliff74 said:
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
fiinix said:
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
Click to expand...
Click to collapse
I really hate to break it for you. But the [SecuritySafeCritical] is indeed trusted code, but it will still check your privileges. All the API functions that do system modifications like that, do the security checks. Read the note under SecuritySafeCriticalAttribute here. Also read this; same problem. You are in process TaskHost.exe and it is launched in LPC (Least Privilege Chamber), so every CeImpersonateToken() to do the important stuff will fail and return an error code. I also wouldn't know how you would modify the stack-frame of a function that you call. Seems impossible to me, because at the moment you call the function, that stack-frame has not been allocated yet.
Anyway, although I don't think that is going to work in any way, I absolutely don't want to discourage you, because my experience is that when you try enough, sooner or later you will find an exploit
Ciao,
Heathcliff74
Currently installing "Windows Embeded Compact 7", because this lousy ARMv4 compiler (from WM5-6) maybe generates wrong ARM op-codes (WP7 runs ARMv7), therefore it says "Invalid program signature" (or what error it was).
Maybe ARMv7 is'nt even backwards compatibility with ARMv4.
By compiling with the ARMv7 compiler from WEM7, it will probably (hope) generate a valid exe.
Thats it..
edit:
*Research
"Armv7 is the processor instruction set used starting with the S5L8920 in the iPhone 3GS and in all subsequent devices. Processors that support Armv7 instructions are backward compatible with Armv6 instructions, but attempting to run binaries compiled for Arm7 on older, Armv6 processors will result in the error: "Bad CPU type in executable"."
Source: http://theiphonewiki.com/wiki/index.php?title=Armv7
___
"As I said in the past, the ARMv6 CTR was kept backwards compatible with
> > > earlier versions of the ARM architecture (and ARM tried to keep it like
> > > this as much as possible). With ARMv7, you have multiple levels of cache
> > > and different types (e.g. ASID-tagged VIVT I-cache). There is no way you
> > > could encode the useful information while keeping the same (and only)
> > > register, hence the the need for a new register."
Source: http://www.spinics.net/lists/arm-kernel/msg58813.html
As i see this (^), all ARMv > 6 == no backwards
ARMv6 had backwards to 4
ARMv7 >> ARMv6 compatibility, not more.
_
Problem officer even running ARMv4???
>On a non ARMv4 backwards compatibility CPU.
Profit!!
__
[ExeX.exe] (the one that i recompiled to a state: "this has to work")(ARMv4)
Decompilation:
Code:
; Attributes: bp-based frame
EXPORT start
start
var_20= -0x20
oldR4= -0x1C
oldR5= -0x18
oldR6= -0x14
oldR7= -0x10
oldR11= -0xC
oldSP= -8
oldLR= -4
MOV R12, SP
STMFD SP!, {R4-R7,R11,R12,LR}
ADD R11, SP, #0x1C
SUB SP, SP, #4
MOV R4, R3
MOV R5, R2
MOV R6, R1
MOV R7, R0
.
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
fiinix said:
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
Click to expand...
Click to collapse
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
athompson said:
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
Click to expand...
Click to collapse
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
fiinix said:
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
Click to expand...
Click to collapse
First use Andim's WP7 Rom Tools to extract the rommodules. Remember to always dump a folder, not a single file.
Then use Denomitor's version of Recmod and follow the instructions in the post. That works most of the time.
Going forward
Currently building the WP7 ARMv7 commandline, getting closer.
Current cmd (not working, no need to help):
Code:
"C:\WINCE700\sdk\bin\i386\arm\cl.exe" /Od /D "_DEBUG" /D "_WIN32_WCE=0x700" /D "UNDER_CE" /D "ZUNE_HD" /D "WINCE" /D "DEBUG" /D "_WINDOWS" /D "ARM" /D "_ARM_" /D "_UNICODE" /D "UNICODE" /D "_CRT_SECURE_NO_WARNINGS" /Gm /EHsc /MTd /Gy /fp:fast /GR- /Fo"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/" /Fd"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/vc80.pdb" /W3 /c /Zi /TP /QRfpe- /QRarch7 "C:\Users\Steven VM\Desktop\ARMv7\main.cpp"
/QRarch7 is the ARMv7.
edit:
HOORRY SHEEAT
generated:
> main.obj
> vc80.idb
> vc80.pdb
, feels soo good:
main.exe is there.
IDA Pro says "ARM AND THUMB MODE SWITCH INSTRUCTIONS", just like others.
Code:
; Input MD5 : B50E8D8395DE7CA2419464DC3CE0BC74
; File Name : C:\Users\Steven\Desktop\burn\main.exe
; Format : Portable executable for ARMI (PE)
; Imagebase : 10000
; Section 1. (virtual address 00001000)
; Virtual size : 00000018 ( 24.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
; Processor : ARM
; Target assembler: Generic assembler for ARM
; Byte sex : Little endian
; Segment type: Pure code
AREA .text, CODE, READWRITE, ALIGN=4
; ORG 0x11000
CODE32
EXPORT start
start
var_4= -4
SUB SP, SP, #4
MOV R3, #1
STR R3, [SP,#4+var_4]
LDR R0, [SP,#4+var_4]
ADD SP, SP, #4
BX LR
; End of function start
Made an empty entry point as from above ^:
Code:
int wWinMainCRTStartup()
{
return 1;
}
PE Explorer (main.exe):
Machine: THUMB
Operating System Version: 7.0
Image Version: 7.0
Subsystem Version: 7.0
Subsystem: WinCE GUI
**** so CLOSE!
Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.
Method:
WP7Process p = device.LaunchEXE(@"main.exe", "");
main.exe (no signing, ARMv7):
System.UnauthorizedAccessException: Access is denied.
WP7Process p = device.LaunchEXE(@"ExeX.exe", "");
ExeX.exe (signed with CA/ROOT custom, ARMv4):
System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.
There IS different things going on! Something is missing, but what
edit:
Signed main.exe with custom XDA ROOT certificate (ARMv7):
signtool.exe sign /sha1 "[CertChomp]" "main.exe"
> Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
Ill see if i can add it to startup list , if it boot from there.
edit 2:
Nope gonna hijack "fieldtestapp.exe" with my app because policy says:
Risky-mode.Activate();
Backup(fieldtestapp.exe, backupPath);
Copy(main.exe, > fieldtestapp.exe);
"LOADERVERIFIER_ROUTE_BY_NAME"
"LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"
<Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
</Authorize>
</Rule>
<Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT)/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD" />
</Authorize>
</Rule>
edit 3:
Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.
edit 4:
Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
Successful copy == no ROM lock.
edit 5:
There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):
Direct exe name OR special certificate
How we do:
> Direct exe (hijack exe)
How we cant do (SHA1) (Nope, ain't gonna happen):
> We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.
(1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
(2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574
edit 6:
Yep, loads of edits, just for you.
Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):
Code:
ACCESSIBILITYCPL.EXE
ACCOUNTSMANAGER.EXE
ALARMS.EXE
APPCHECKERSHIM.EXE
APPPREINSTALLER.EXE
AUTODATACONFIG.EXE
AUTOSIM.EXE
AUTOTIMEUPDATE.EXE
BRIGHTNESSCPL.EXE
BTUXCPL.EXE
CALENDARAPP.EXE
CALLSETTINGSHOST.EXE
CALNOT.EXE
CALUPD.EXE
CAM_FW_UPDATE_UI.EXE
CELLUXCPL.EXE
CERTINSTALLER.EXE
CFGHOST.EXE
CFLAUNCHER.EXE
CHDIALERHOST.EXE
CIPHASE2.EXE
CLIENTSHUTDOWN3.EXE
CLOCKNOT.EXE
CMACCEPT3.EXE
COLDINIT.EXE
COMMSVC.EXE
COMPOSITOR.EXE
CONFIGDM.EXE
CONFIGXML.EXE
CONMANCLIENT3.EXE
CONTACTS.EXE
CPROG.EXE
DATETIMECPL.EXE
DCVSSWITCH.EXE
DEPOTCOPY.EXE
DEVICEFEEDBACKCPL.EXE
DEVICEREG.EXE
DIAGPORTCHANGETEST.EXE
DLLHOST.EXE
DMSCHEDULERCALLBACK.EXE
DMSRV.EXE
DMSTOOLS.EXE
DUACLIENT.EXE
DW.EXE
EDM3.EXE
EMAIL.EXE
EMAILSETUP.EXE
ENDPOINT.EXE
FCROUTERCMDTEST.EXE
FIELDTESTAPP.EXE
FLIGHTMODE.EXE
GAMESUX.EXE
IEXPLORE.EXE
INITIATEDMSESSION.EXE
INVALIDLICENSEUXLAUNCHER.EXE
KEYBOARDCPL.EXE
LASSCREDENTIALEXPIRATIONCHECK.EXE
LASSRESTARTER.EXE
LIVETOKEN.EXE
LOCKCPL.EXE
LOOPBACKTEST.EXE
MEDIAGROVEL.EXE
MEUX.EXE
MITSMAN.EXE
MMSPRPROXY.EXE
MMSTRANSHOST.EXE
MULTIMEDIALAUNCHER.EXE
MYPHONECPL.EXE
MYPHONETASKSRUNTIME.EXE
NATIVEINSTALLERHOST.EXE
OFFICEURL.EXE
OMADMCLIENT.EXE
OMADMPRC.EXE
OMHUB.EXE
ONBOOTSQM.EXE
ONENOTEMOBILE.EXE
OOBE.EXE
PACMANINSTALLER.EXE
PHOTOENT.EXE
PHOTOENTCAPTURE.EXE
PHOTOUPLOADER.EXE
PPT.EXE
PWORD.EXE
PWRLOGCTRL.EXE
PXL.EXE
RAPICONFIG.EXE
REGIONCPL.EXE
RMACTIVATE.EXE
SAPISVR.EXE
SECSIMTKIT.EXE
SERVICESD.EXE
SERVICESSTART.EXE
SETTELEPORTMODE.EXE
SETTINGS3.EXE
SHORTMSG.EXE
SICLNT.EXE
SIGNALEVENT.EXE
SIREPSERVERAPPDEV.EXE
SMSETTINGS.EXE
SMSTRANSPORT.EXE
SOUNDCPL.EXE
SPEECHCPL.EXE
SPMC.EXE
SQMEVENT.EXE
SSUPDATE.EXE
TASKHOST.EXE
TELSHELL.EXE
TESTSHOW.EXE
THEMECPL.EXE
TOGGLEBROWSERHIBERNATION.EXE
TOGGLEDOG.EXE
UDEVICE.EXE
UIF.EXE
UNIFIEDPAIR.EXE
USBMGR.EXE
WEBSEARCH.EXE
WIFIUXSPLASH.EXE
WLANEXT.EXE
WLIDSETUP.EXE
WWANDATAMGR.EXE
XDRMREMOTESERV.EXE
ZIPVIEW.EXE
ZMFTASKLAUNCH.EXE
How code (yes i know its super un-optimized, fast put together):
Code:
var doc = XDocument.Load(File.OpenRead("SamsungOmnia7_BasePolicy_webserver.xml"));
var ea = doc.Elements().ToArray()[0].Elements()
.Where(x => x.Name.LocalName == "Rule")
.Where(x => x.Attributes("ResourceIri").Count() > 0)
.Where(x =>
{
var r = x.Attribute("ResourceIri").Value;
return r.Contains("LOADERVERIFIER") && r.ToLower().Contains(".exe") && !r.Contains("CERTIFICATES");
})
.Select(x =>
{
var v = x.Attribute("ResourceIri").Value;
var l = v.LastIndexOf('/');
return v.Substring(l + 1);
})
.Distinct()
.OrderBy(x => x)
.ToArray();
edit 7:
yeah, lol i say too.
Unprotected exe (FCRouterCmdTest.exe)
> c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"
Wow, this truly was a big step today
Done hacking today.
"After a day, there comes another day"
@fiinix,
You did a lot of testing. Good job, man.
A few comments:
0x800704ec "blocked by group policy" is THE error of the new WP7 security model. It is basically telling you to go f*ck yourself. Everything you do without enough privileges or capabilities results in this error.
The two ways of policies, exe-path and cert-hash, is result of difference between rom-modules and executables that are signed and added as a file. Rom-modules are not even normal files. You can't open and read them. They are executable sections that are mapped in rom-address-space. You can only call loadlibrary() and createprocess() on them. Since they are only executable sections, they don't have a signature, like a normal executable file would have. Therefore they are referred to with an exe-path. You may safely assume that every path to an executable in the policy files is referring to a rom-module and can't be overwritten in any way (except by cooking your own rom - who is going to unlock our bootloaders?!?) Other than that, there are a few signing certs that Microsoft has. Signing the different executables with different privileges and accordingly a different cert. Their hashes are in the policies.
Using ARMv7 isn't going to add much I'm afraid. Although it may make a difference in the exe-header. But you've seen tools that were really old, remember And they were signed to have TCB access. And they were compiled for ARMv4. So it should not make much difference.
I did some testing with certificates myself yesterday. Up until Zune totally went bezerk on it. I don't know what happened, but after removing my own cooked certs it all seems normal again. Zune started using 100% cpu on verifying certs and dropping my connection all the time. Help! So I haven't made much progress. I will try again later. Hope it will go better. And I will try to resign an existing executable, as Flow WP7 suggested.
According to policy on my omnia (webserver dumped) there seems to exist two typed of HDD, one ROM hard coded and one that points to internal sd card. It seems that all exe and dll on the sd are not "protected" and therefore can be hijacked.
Seems like ARMv4 will be enough, but to be on the safe side i compile with both, to have more chance getting it work.
Zune, hmm, did not seem to like you, maybe Microsoft DDOS'ed you lol
"Sent from my fingers on my phone", don't expect way too long text
XxXPachaXxX said:
Excuse my ignorance...I'm a noob...This hack may also work on LG devices?
Click to expand...
Click to collapse
At the moment fiinix and I are both working on Samsungs and we use a couple of Samsung-specific exploit to get deeper in the system and getting a better understanding of the system. The ultimate goal is to find exploits that will work for all devices. But we're not at that stage yet. Hacking is research, a lot of trying and being lucky sometimes. Just bear with us
Ciao,
Heathcliff74

Android port for Samsung WAVE3 (GT-S8600)

Hi all.
This thread only for developers! Only! No questions - when?!!!!!!!
This is my attempt to porting android on S8600.
I wrote custom bootloader - emmcboot, based on codeaurora LK-bootloader.
Bootloader is successfully start, work and trying to load android kernel from internal
microsd card.
Now is unsuccessfully,after type message "Uncompressing Linux... done, booting the kernel." device rebooted or stopped.
[370] Panel is power on
[370] Display initialized
[370] Display logo
[370] Waiting for modem+++
[370] Waiting for modem: Done
[370] smem ram ptable found: ver: 0 len: 6
[370] scratch: 0x8000000
[370] Starting in SD mode!
[370] SD_DETECT pin : 0x0
[380] Initializing MMC host data structure and clock!
[380] Error No. 2: Failure Initializing MMC Card!
[400] Decoded CID fields:
[400] Manufacturer ID: 27
[400] OEM ID: 0x5048
[400] Product Name: SD16G
[400] Product revision: 3.0
[400] Product serial number: 7C88FF04
[400] Manufacturing date: 2 2012
[410] Serial number -[410] serial number:
[410] partition misc doesn't exist
[410] error in emmc_recovery_init
[580]
kernel @ 208000 (4132528 bytes)
[580] ramdisk @ 1200000 (175204 bytes)
[580] cmdline = 'console=null androidboot.hardware=qcom user_debug=31'
[580]
Booting Linux
[580] smem ram ptable found: ver: 0 len: 6
[580] booting linux @ 0x208000, ramdisk @ 0x1200000 (175204)
[590] cmdline: console=null androidboot.hardware=qcom user_debug=31
Uncompressing Linux... done, booting the kernel.
source code for lk-bootloader for S8600:
https://github.com/Oleg-k/LK_BOOT_S8600
To build for S8600, type: "make -j4 s8600 EMMC_BOOT=1"
Also, i got memory dump, stage - after load oemsbl and before loading my bootloader.
as we see, oemsbl decompress and load apps_compressed.bin into memory,
starting at 0x200000.
https://www.dropbox.com/s/5wf6dp5gfgudkdc/MEM_DUMP_128MB.rar
And for for understanding boot process on MSM7x30, read this:
http://tjworld.net/wiki/Android/HTC/Vision/BootProcess#BootProcess
Welcome back my friend ))
If you able to port,I 100% will buy S8600
Good Luck
I was actually going to ask you what happened to the wave 3 port. Anyway Welcome back . But a question why don't you help rebellos and volk in the wave and wave II porting ? So the porting can be a bit more better. Just my question. :good:
Sounds interesting.
1.
You found ELF files for S8600 Boot ?
2.
You found way without JTAG, or JTAG is needed to write your Boot?
Thanx in advance.
Best Regards
CONFIG_DEBUG_LL
and
CONFIG_EARLY_PRINTK
plx <3
it's my current config for my kernel:
adfree said:
Sounds interesting.
1.
You found ELF files for S8600 Boot ?
2.
You found way without JTAG, or JTAG is needed to write your Boot?
Thanx in advance.
Best Regards
Click to expand...
Click to collapse
No, don't ELF files for S8600, i wrote new bootloader for boot linux kernel.
Now i use JTAG, but if we find a way to cript my bootloader,like appsboot.mbn,we will use regular multiloader
So cool!
http://forum.xda-developers.com/showthread.php?t=1443575
Blowfish encryption
Click to expand...
Click to collapse
Maybe PlatformDownloader_S8600_KI5.exe maybe have unsecured Boot...
But I can't flash nor I have connected my S8600 with RIFF...
TPs seems to small for my big Fingers...
Best Regards
oleg_k said:
it's my current config for my kernel:
Click to expand...
Click to collapse
Thanks. I'd check debug macros and debug uart configuration. There's few UART ports in it, and maybe kernel is printing to the wrong one... though this wouldn't explain why kernel unpacker is printing something (Uncompressing and booting comes already from zImage) - this would indicate that debug port number is correct. Are you sure that kernel and ATAGs location is correct, and RAM is set up properly by LK? Maybe something bad happens when kernel proceeds to enabling MMU and caches... I'm pretty clueless. :<
I collected some links I found useful in this article: http://xda-university.com/as-a-developer/porting-android-to-non-android-devices
Especially interesting for you might be last link in "Custom bootloader" section.
No, don't ELF files for S8600, i wrote new bootloader for boot linux kernel.
Now i use JTAG, but if we find a way to cript my bootloader,like appsboot.mbn,we will use regular multiloader
Click to expand...
Click to collapse
For S8500 I found way to write direct into OneNAND at:
Code:
0x0010 0001
No need to encrypt something...
With Multiloader... choose ETC.
http://forum.xda-developers.com/showpost.php?p=37229969&postcount=37
S8600 not tested...
This is far far away from perfect... but maybe helpfull.
Need someone who is able to remove restriction from ML to use lower adresses then 0x10000...
I was only able to change text strings... in ML...
Best Regards
On first page i posted bootloader source and memory dump, stage - after load oemsbl and before loading my bootloader.
To Adfree,
S8600 don't use OneNAND, used EMMC flash memory (like sd-card).
Today I've found S8600XXKI9.zip
I have forgotten this Firmware... but I have now short compared with Bootfiles from XXKJC... BIG differences... So I think this should be nearly identical with PlatformDownloader_S8600_KI5.exe
Still unsolved to decrypt or extract content of:
PlatformDownloader_S8600_KI5.exe
and
PlatformDownloader_S8600_KJ7.exe
Best Regards
Not my S8600... but user tried PlatformDownloader_S8600_KJ7.exe
It seems it was wrong Partition Table aka partition.bin...
Code:
Boot Binary Download Start Ch[0]
Appsboot 338.7KB OK[1.1s]
OemSbl 1757.7KB OK[1.8s]
ERR : NAK_FLASH_ERROR 0
Error : [B]partition Write[/B] [0.2s]
ERR : NAK_FLASH_ERROR 0
Download Start Ch[0]
Amss 16654.3KB OK[15.6s]
Apps 29622.3KB OK[54.1s]
_Open_Europe_Common 40370.2KB OK[73.5s]
(Low) 2980.3KB OK[1.9s]
ERR : NAK_INVALID_CONTENT 0
ERR : _Open_Europe_Common Erase
Now S8600 ask for QHSUSB_DLOAD
My first idea is Qualcomm QPST now...
Or maybe if Driver used, then Multiloader will work again... for second attempt..
Found only 64 Bit Driver yet... not tested nor Thread... only attachment...
http://forum.xda-developers.com/attachment.php?attachmentid=631288&d=1308601930
Will check also QPST to check what is needed...
Best Regards
Edit 1.
More Driver...
http://forum.xda-developers.com/showpost.php?p=21911621&postcount=2
Okay...
It seems for QPST fsbl.mbn is missing...
I can remember from old MSM6250 handsets it is mandatory to have all files for QPST... because otherwise you need JTAG...
Important...
Qualcomm not use Encryption for QPST files...
This is Samsung thingie + "end.bin" last 1024 Byte...
So decrypt all Bootfiles and cut last 1024 Byte...
For fsbl.mbn I will check JTAG dump from S8600...
Best Regards
Edit 1.
http://forum.xda-developers.com/showthread.php?t=1367055
downgrade_WM6_boot.zip contain fsbl.mbn ... maybe as example...
http://forum.gsmhosting.com/vbb/f634/htc-desire-s-qhsusb_dload-driver-1436354/
Found this...
Here is also fsbl.mbn maybe not available... or...
But maybe if we can attach such S8600 we can see few infos...
Best Regards
Edit 1.
About QPST Version contain this eMMC...
Code:
4. RELEASE NOTES
...
10/27/11 QPST [B]2.7.378[/B]
1) Add support for QSC11x5 CDMA only (4073) and CDMA+GSM (4074).
2) Fix problem with eMMC Software Download not correctly patching addresses > 8 GB.
10/13/11 QPST 2.7.377
1) Fix crash when QPSTServer.config are NULs (bad format).
2) Add model ID 4072 = "APQ8064". Apps processor only, no service programming.
3) Change flash programmer name from nprg9615.hex to nprg9x15.hex.
4) Add emergency download support for user partitions.
5) Fix case where user partition download fails if the flash programmer is on a file share.
6) Fix error case when add port is used but no port is specified.
7) Fix case where restoring an EFS file doesn't work if the file was modified by QXDM.
8) In Service Programming BC SMS fix case where if user enters 32 as the service type it get written to NV as 4096.
9) Fix case where a phone will stay in "no phone" state if the phone takes > 20 seconds to reboot.
10) Take care of cases in eMMC Software Download where we try to lock the disk volume but the drive letter isn't available.
11) Fix "server busy" issue when a device connects but it's modem isn't running.
12) Insert more status message in Memory Debug app so that we can see why fast unframed dump failed.
8/17/11 QPST 2.7.375
1) Add support for MDM9615 (model 4070). Rename model 4068 to 7627A-ANDROID from SURF7627A.
Add model 4071 (7627A-WinMob). Add 1x/UMTS service programming to 4068 and 4071.
2) eMMC Software Download: Don't try to lock volume if drive letter not present.
Devices that use GPT will not mount and get a drive letter assigned.
7/22/11 QPST 2.7.374
1) Added missing file to installer to fix Service Programming problem in 2.7.373.
2) For eMMC Software Download, abort the download if a sparse="true" directive is present.
Sparse files cannot be downloaded with QPST, only with fastboot.
3) Began the process of moving QPST application and server settings from registry to
configuration files.
4) Added more error checking to EFS Explorer file drop code.
7/5/11 QPST 2.7.373
1) Add support for SURF8960 model ID 4069.
2) Fix issue with Port Enable/Disable for IP Ports.
3) NAND Software Download: Correct flash programmer descriptions for 7225A, 7625A, 7227A, and 7627A.
4) Roaming List Editor: Added two new bands LTE 24 and LTE 25.
5) eMMC Software Download:
- Fix problem where some file names print as "(null)".
- Add support for Meta Build contents.xml file ("Build Contents"). The contents file will provide the path for the
rawprogram and patch files, extra search paths, and names of flash programmer and boot image files.
- Ignore unexpected elements in schema.
- Support zeroout directive to zero parts of partitions.
- Allow usage by app of "orderly" as well as surprise removal storage devices.
- Add support for computations in the <patch> (CRC32 for GPT support), <program>, and <zeroout> directives.
6) EfsExplorer:
- Enable reset button in Efs Explorer even if target not in offline mode.
- More text description in Mode column for Efs Explorer
- Modify the list context menu of Efs-Explorer.
- If the proposed item file size copy is > 2048 bytes, warn the user and bail out.
...
Adfree,
link pls for founded S8600XXKI9.zip
link pls for founded S8600XXKI9.zip
Click to expand...
Click to collapse
http://hotfile.com/dl/145796951/79ecec6/S8600XXKI9.zip.html?lang=de
Try this. If not then I search again...
About fsbl.mbn...
I have searched for fsbl_hw.c string in 4 GB JTAG dump SAMSUNG_GTS8600_FullFlash.bin...
Can not find so I think fsbl is not or in other area...
About your Memory Dump FROM_MEM_0_128MB.bin
I am not 100 % sure but maybe read problems...
Short tried to extract Cert, but string Qualcomm is not written correct...
Q5alcomm1
qualcoem.com
Click to expand...
Click to collapse
Best Regards
I try to read again memory dump )
thanks for links...
Also,
i find,what samsung used OKL4 Microkernel 3.0 (maybe 4.0)
http://wiki.ok-labs.com/Release/3.0
About ver 4.0 --
The OKL4 Microvisor is designed from the ground up as a high-performance mobile virtualization platform. It is a microkernel-based embedded hypervisor - called a Microvisor, with a small footprint and the right combination of performance and hardware support to target mobile telephony use. The OKL4 Microvisor 4.0 is distinguished by supporting mobile virtualization, componentization, and security, enabling a new generation of applications and capabilities with impact across the mobile ecosystem.
OKL4(with Qualcomm RTOS) also used in modem AMSS
http://forum.xda-developers.com/showthread.php?t=1829915
Need overview/list with Firmware packages with Bootfiles included...
Here this is what I have...
Later I will compare if difference...
Code:
XXKI9
XXKJC
S8600BOKJ1_TPLKJ1.rar
S8600BOKK6_S8500TPLKK7_T-Mobile.rar
S8600JPKK2_S8500OJPKK2_OJP.rar
S8600ZCLA1.7z
S8600NAKL1_S8600EPLKL1
Best Regards

[FAQ] Asus T100: Installing custom OS (android/ubuntu/*nix/Windows 7/Windows 8 x64)

[4 April 2014]I haven't had time to play with my device or update fully the info in this post
Jhong2 has an updated post on how to get ubuntu working on the Asus T100
http://forum.xda-developers.com/showpost.php?p=51291244&postcount=181
http://www.jfwhome.com/2014/03/07/perfect-ubuntu-or-other-linux-on-the-asus-transformer-book-t100/
(do search for the specific topic headers to jump to them)
Post 1: Global Info
UEFI:
Bootloader auto-detection path:
Secure Boot
Partition Table for Live USB sticks:
How to boot from USB stick
Info for various operating systems:
Hardware info:​/cpu/cpuinfo:​
Post 2: <backup/ archived infomation>
Post 3: Files
grub2 2.00-13ubuntu3 (13.04 raring sources) compiled for grub-efi-ia32 (x86) - bootia32​
---------------------------------------------------------------------------------------
Global information
for BIOS 214 (2013.09.25), version loaded on retail T100 units
UEFI:
Bootloader auto-detection path:
(bootloader is only 32-bit compatible)
/efi/BOOT/bootia32.efi
WILL NOT pick up the x64 location /efi/BOOT/bootx64.efi​
Secure Boot
You should disable Secure Boot in UEFI/Setup-Utility-Menu-> Security tab-> Secure Boot Menu -> Disable​
Partition Table for Live USB sticks:
GPT or MBR works
Use Rufus (works for Windows/Unix ISOs) or Windows 7 USB Download Tool (works for Windows 7 / Windows 8)​
How to boot from USB stick
NOTE:
If you don't see the USB drive on the boot list or the UEFI/Setup-utility, this means you have a badly prepped USB live drive, or the boot-list/UEFI/Setup-utility was loaded before the USB drive was read.
If you are on the boot list, boot into UEFI/Setup-utility. Then, go to the last tab, save changes and restart while holding F2 (to force the next reboot to go back into UEFI/Setup-utility). If you still don't see the USB drive after doing this multiple times, then you have a badly prepped USB drive.
I find using Rufus (GPT for UEFI + FAT + 64 kb+ bootable disk using ISO Image) to consistently get a working bootable USB drive​
Option 1a) Boot to UEFI USB drive from Windows (works only if your USB is correctly prepped)
Boot into Windows
Swipe from right, click on settings.
Click on Power. Press and hold the shift key, and then click on Restart
A Blue menu should show up. Click on Use a device->click on the device name (might not show up if USB isn't prepped properly)
Device should reboot into the USB
Option 1b) Boot to UEFI/Setup-Utility-menu from Windows (easiest, and almost no way to screw it up)
Boot into Windows
Swipe from right, click on settings.
Click on Power. Press and hold the shift key, and then click on Restart
A Blue menu should show up. Click on Troubleshoot-> Advanced Options-> UEFI Firmware Settings
Inside UEFI/Setup-Utility-menu, go to the last tab, and select the USB Drive
NOTE:
For options 2a and 2b, if you see the ASUS logo and circle loading icon, you either:
Pressed button (ESCAPE/F2) too late. Solution: Reboot and try again
Have Fast startup enabled, and did the steps with the device in shutdown mode. Windows will cache the kernel/other stuff, and you might not be able to get to UEFI. Solution: Reboot from Windows and try again(reboot does not trigger caching). Or disable Fast Startup
Option 2a) Boot to UEFI/Setup-Utility-menu
Inside Windows, restart system. Press and hold the F2 key
You should get into the Aptio Setup Utility screen
Inside UEFI/Setup-Utility-menu, go to the last tab, and select the USB Drive
Option 2b) Boot Menu
Inside Windows, restart system. When screen goes blank, press and hold the ESCAPE key (if you press it too early, Windows might interpret you as cancelling the restart process)
You should get a list of bootable devices
If you see the ASUS logo, you've pressed the ESCAPE key too late. Restart and retry
Info for various operating systems:
You should backup the recovery partition to a separate USB key. Alternatively, you can do it with this ASUS utility Backtracker that HatesForums pointed me to
Windows:
Windows 8.1
x86: (Status: Works but missing drivers)
Used Windows 7 USB Download Tool or Rufus to create bootable USB. Using en_windows_8_1_x86_dvd_2707392 from MSDN (x86 8.1 Regular & Pro ISO), able to install W8.1 x86 and boot to it (missing a few drivers, eg touch screen doesn't work, no sound). Windows is automatically activated without need for key. First boot had 25.7GB free out of 33.6GB.
x64: (Status: Not yet working)
Used Windows 7 USB Download Tool or Rufus to create bootable USB. ISO does not contain bootia32.efi. Copied that file from the x86 ISO to USB, able to boot, but the installer complains that the processor isn't 64-bit compatible
Windows 7
x86: (Status: unknown)
ISO does not contain efi
x64: (Status: unknown
ISO only contains x64 efi
Unix:
Ubuntu:
You need an EFI-compatible distro. For ubuntu, x64 EFI is enabled since 12.04-2. However, we'll need to include x86 EFI because our bootloader only reads x86 EFIs
13.04 x64 desktop- (Status: boots to GUI using fbdev)
Used Rufus(GPT for UEFI + FAT + 64 kb+ raring x64 as bootable disk using ISO Image) to create bootable USB. Copied over the bootia32 to /efi/boot/
there is a bug in VESA where it queries for a BIOS-only command and crashes. Forcing xserver to use fbdev fixes this problem
13.10 x64 desktop- (Status: boots to GUI using fbdev
Same problems as 13.04 x64 plus one addition efifb problem
see post for more details - touchscreen works, but no wifi
Android:
android-ia - (Status: No x86 UEFI bootloader)
Generic UEFI Installer android-4.2.2_r1-ia3 does not come with x86 UEFI bootloader. it does not use grub, so can't just use ubuntu's x86 grub2 efi. Need to compile it from source
android-x86 - (Status: Bootable but slow)
Uses grub, can piggy-back on the ubuntu x64 13.10 bootia.efi grub. Some workarounds needed, see this post
external/efitools/Android.mk
# TODO: support ia32 prebuilt
ifeq ($(TARGET_KERNEL_ARCH),x86_64)
arch_name := x86_64
Click to expand...
Click to collapse
/cpu/cpuinfo:
taken from a x64 13.04 live USB
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 55
model name : Intel(R) Atom(TM) CPU Z3740 @ 1.33GHz
stepping : 3
microcode : 0x312
cpu MHz : 1333.387
cache size : 1024 KB
physical id : 0
siblings : 4
core id : 0
cpu cores : 4
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 11
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes rdrand lahf_lm 3dnowprefetch ida arat epb dtherm tpr_shadow vnmi flexpriority ept vpid tsc_adjust smep erms
bogomips : 2666.77
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 55
model name : Intel(R) Atom(TM) CPU Z3740 @ 1.33GHz
stepping : 3
microcode : 0x312
cpu MHz : 1333.387
cache size : 1024 KB
physical id : 0
siblings : 4
core id : 1
cpu cores : 4
apicid : 2
initial apicid : 2
fpu : yes
fpu_exception : yes
cpuid level : 11
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes rdrand lahf_lm 3dnowprefetch ida arat epb dtherm tpr_shadow vnmi flexpriority ept vpid tsc_adjust smep erms
bogomips : 2666.77
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:
processor : 2
vendor_id : GenuineIntel
cpu family : 6
model : 55
model name : Intel(R) Atom(TM) CPU Z3740 @ 1.33GHz
stepping : 3
microcode : 0x312
cpu MHz : 1333.387
cache size : 1024 KB
physical id : 0
siblings : 4
core id : 2
cpu cores : 4
apicid : 4
initial apicid : 4
fpu : yes
fpu_exception : yes
cpuid level : 11
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes rdrand lahf_lm 3dnowprefetch ida arat epb dtherm tpr_shadow vnmi flexpriority ept vpid tsc_adjust smep erms
bogomips : 2666.77
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:
processor : 3
vendor_id : GenuineIntel
cpu family : 6
model : 55
model name : Intel(R) Atom(TM) CPU Z3740 @ 1.33GHz
stepping : 3
microcode : 0x312
cpu MHz : 1333.387
cache size : 1024 KB
physical id : 0
siblings : 4
core id : 3
cpu cores : 4
apicid : 6
initial apicid : 6
fpu : yes
fpu_exception : yes
cpuid level : 11
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes rdrand lahf_lm 3dnowprefetch ida arat epb dtherm tpr_shadow vnmi flexpriority ept vpid tsc_adjust smep erms
bogomips : 2666.77
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:
Hardware info:
The microUSB slot is USB-HOST-capable (i.e. with a USB OTG cable or Y cable, you can connect a USB flash drive to the microUSB slot
Amazon.de and Asus.de posted a T100 version with 500GB drive on the keyboard base. No pictures yet
Internal eMMC, 108MB/s 44MB/s read/write on sequential. CrystalDiskMark here
External microSD(HC/XC) reader is NOT UHS-1 compatible. Someone over at liliputing comments posted his atto benchmark
64GB Samsung microSDXC card came in the mail today, I did some ATTO disk tests using the T100's built-in microSD reader and a USB 3.0 reader from Transcend.
Unfortunately, it looks like the built-in reader is connected via USB 2.0. It maxed out at 23.8 MB/s read and 17.2 MB/s write, while the USB 3.0 reader maxed out at 71.3 MB/s read and 21.3 MB/s write. The card is rated at 70 MB/s read and 20 MB/s write.
<backup/ archived infomation>
Files:
grub2 2.00-13ubuntu3 (13.04 raring sources) compiled for grub-efi-ia32 (x86) - bootia32
LINK | MIRROR | Instructions on compiling from source
<reserved 3>
paperWastage said:
ISO does not contain bootia32.efi. Copied that file from the x86 ISO, able to boot, but the installer complains that the processor isn't 64-bit compatible
Android:
Click to expand...
Click to collapse
odd: http://ark.intel.com/products/76759/
shouldnt be erroring about 64 bit, unless the 8.1 installer is checking the CPU ID, isn't recognising it (no idea why) and then presuming a lack of 64 bit support.
SixSixSevenSeven said:
odd: http://ark.intel.com/products/76759/
shouldnt be erroring about 64 bit, unless the 8.1 installer is checking the CPU ID, isn't recognising it (no idea why) and then presuming a lack of 64 bit support.
Click to expand...
Click to collapse
Perhaps the 32bit bootloader sends that the device is only booting in 32bit.
Seeing that I can boot to Ubuntu x64, the chip should be 64bit like how the Intel ark site says. I'll check the cpuinfo in Ubuntu to see what extensions it supports
Will also try to download WinPE and get the efi bootloader from there instead. Windows 7 x64 has efi x64 bootloader, but x86 doesn't have any efi bootloader
Compiling grub2-efi-ia32 (x86)
NOTE:
The instructions below are for raring 12.04.
The same instructions should work for other versions/sources/distros of grub2 as well.
The resulting binary should work with any *nix distros that use grub2
The resulting bootia32.efi should be placed on your USB drive at /EFI/BOOT/bootia32.efi
The grub-mkimage instruction basically packages the grub-efi AND the *.mod you specified into that bootia32.efi. You may need to tweak the list of *.mod that you include. You don't need to copy the *.mod onto the USB drive
-p /boot/grub tells grub-efi to look for the grub.cfg at /boot/grub/grub.conf (location that ubuntu uses). Other distros may use a different location.
Either recompile grub2-efi-ia32 with the right "-p" flag
Or copy your distro's grub.conf to /boot/grub/grub.cfg
Download grub2 sources for raring
https://launchpad.net/ubuntu/+source/grub2/2.00-13ubuntu3
apt-get install gcc bison flex
./configure --with-platform=efi --target=i386
make
#make GRUB EFI binary and mods
cd grub-core
../grub-mkimage -d . -o bootia32.efi -O i386-efi -p /boot/grub ntfs hfs appleldr boot cat efi_gop efi_uga elf fat hfsplus iso9660 linux keylayouts memdisk minicmd part_apple ext2 extcmd xfs xnu part_bsd part_gpt search search_fs_file chain btrfs loadbios loadenv lvm minix minix2 reiserfs memrw mmap msdospart scsi loopback
cp bootia32.efi to <USB DRIVE>/EFI/BOOT/
# might be missing some modules... but if i tried to compile all *.mod, I get an invalid stack frame during grub boot
Click to expand...
Click to collapse
Files:
grub2 2.00-13ubuntu3 (13.04 raring sources) compiled for grub-efi-ia32 (x86) - bootia32
LINK | MIRROR | Instructions on compiling from source
tried using that bootia32.efi to load Ubuntu 13.10 x64 ... (13.10 & 13.04 seem to use the same grub2-2.00 sources)
the grub menu shows up, but after selecting "Try Ubuntu", it flashes, menu continues showing up, nothing happens
then my Windows 8.1 OS got corrupted or something.... either boots to Windows message "Windows unable to start up properly", or it boots to login screen, then the screen goes haywire and popup boxes saying "illegal exception" or something
going to reinstall W8.1 x86 cleanly from a MSDN ISO/USB flash drive
got the logs from the semi-successful 13.04 x64 boot... will look through them and post them soon
ubuntu x64 13.04, debuging x-server issues
[ 36.591] (II) Loading /usr/lib/xorg/modules/drivers/fbdev_drv.so
[ 36.597] (II) Module fbdev: vendor="X.Org Foundation"
[ 36.597] compiled for 1.12.99.902, module version = 0.4.3
[ 36.597] Module class: X.Org Video Driver
[ 36.597] ABI class: X.Org Video Driver, version 13.0
[ 36.597] (II) intel: Driver for Intel Integrated Graphics Chipsets: i810,
i810-dc100, i810e, i815, i830M, 845G, 854, 852GM/855GM, 865G, 915G,
E7221 (i915), 915GM, 945G, 945GM, 945GME, Pineview GM, Pineview G,
965G, G35, 965Q, 946GZ, 965GM, 965GME/GLE, G33, Q35, Q33, GM45,
4 Series, G45/G43, Q45/Q43, G41, B43, B43, Clarkdale, Arrandale,
Sandybridge Desktop (GT1), Sandybridge Desktop (GT2),
Sandybridge Desktop (GT2+), Sandybridge Mobile (GT1),
Sandybridge Mobile (GT2), Sandybridge Mobile (GT2+),
Sandybridge Server, Ivybridge Mobile (GT1), Ivybridge Mobile (GT2),
Ivybridge Desktop (GT1), Ivybridge Desktop (GT2), Ivybridge Server,
Ivybridge Server (GT2), Haswell Desktop (GT1), Haswell Desktop (GT2),
Haswell Desktop (GT2+), Haswell Mobile (GT1), Haswell Mobile (GT2),
Haswell Mobile (GT2+), Haswell Server (GT1), Haswell Server (GT2),
Haswell Server (GT2+), Haswell SDV Desktop (GT1),
Haswell SDV Desktop (GT2), Haswell SDV Desktop (GT2+),
Haswell SDV Mobile (GT1), Haswell SDV Mobile (GT2),
Haswell SDV Mobile (GT2+), Haswell SDV Server (GT1),
Haswell SDV Server (GT2), Haswell SDV Server (GT2+),
Haswell ULT Desktop (GT1), Haswell ULT Desktop (GT2),
Haswell ULT Desktop (GT2+), Haswell ULT Mobile (GT1),
Haswell ULT Mobile (GT2), Haswell ULT Mobile (GT2+),
Haswell ULT Server (GT1), Haswell ULT Server (GT2),
Haswell ULT Server (GT2+), Haswell CRW Desktop (GT1),
Haswell CRW Desktop (GT2), Haswell CRW Desktop (GT2+),
Haswell CRW Mobile (GT1), Haswell CRW Mobile (GT2),
Haswell CRW Mobile (GT2+), Haswell CRW Server (GT1),
Haswell CRW Server (GT2), Haswell CRW Server (GT2+),
ValleyView PO board
...
[ 36.762] (II) VESA(0): initializing int10
[ 36.763] (EE) VESA(0): V_BIOS address 0x0 out of range​from
http://www.redhat.com/archives/rhl-devel-list/2009-December/msg00372.html
looks like 13.04 is able to recognize and load the necessary drivers, but crashes because our UEFI-only computer doesn't have a BIOS portion... or maybe 13.04 is using older stuff
EDIT: or does that error even matter? trying to force x to configure itself
EDIT2: it matters because VESA is configured to be the default/fallback driver. With the V_BIOS issue, it won't work. Tried to force it to use fbdev driver, but no luck (it loads, but nothing shows up)
I deleted the vesa_drv.so from /usr/lib/xorg/modules/drivers/ , forced it to start using fbdev... works, very slowly of course
will try the intel driver later
(it's definitely the vesa BIOS bug that's stopping it from working on 13.04... will debug 13.10 later)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
<instructions below should be complete
got ubuntu 13.10 to boot to command prompt (with bootia32.efi and grub.cfg fixes below)
Rufus (GPT for UEFI + FAT + 64 kb+ 13.10 desktop x64 as bootable disk using ISO Image)
Note:
Good behavior:
After you select "Try Ubuntu" in grub, screen goes to blank, (?might appear as well) usb light disappears... wait < 30s, the screen should then show the logs and then cmd line)​Bad Behavior:
After you select "Try Ubuntu" in grub, screen goes to blank, then the grub menu reappears (but nothing happens when you press arrow keys). (?might appear as well) usb light stays lighted. if you wait >5 minutes, nothing happens. just force reboot machine (hold power button), and reboot into windows, then UEFI and try again​
/boot/grub/grub.cfg - replace with the text below
Code:
if loadfont /boot/grub/font.pf2 ; then
insmod efi_gop
insmod efi_uga
insmod gfxterm
terminal_output gfxterm
fi
set menu_color_normal=white/black
set menu_color_highlight=black/light-gray
menuentry "Try Ubuntu without installing" {
set gfxpayload=keep
linux /casper/vmlinuz.efi file=/cdrom/preseed/ubuntu.seed boot=casper text noacpi nomodeset --
initrd /casper/initrd.lz
}
menuentry "Install Ubuntu" {
set gfxpayload=keep
linux /casper/vmlinuz.efi file=/cdrom/preseed/ubuntu.seed boot=casper only-ubiquity quiet splash --
initrd /casper/initrd.lz
}
menuentry "OEM install (for manufacturers)" {
set gfxpayload=keep
linux /casper/vmlinuz.efi file=/cdrom/preseed/ubuntu.seed boot=casper only-ubiquity quiet splash oem-config/enable=true --
initrd /casper/initrd.lz
}
menuentry "Check disc for defects" {
set gfxpayload=keep
linux /casper/vmlinuz.efi boot=casper integrity-check quiet splash --
initrd /casper/initrd.lz
}
(changes in grub is to disable efifb which causes screen flickering/corruption - video=vesa: off doesn't work, probably because vesa IS the fallback driver)
then boot. After you get to command line, remove the vesa_drv.so module from /usr/lib/xorg/modules/drivers/, type startx
touchscreen works on x64 13.10. still haven't had time to make x86 ISO work with bootia32.efi GRUB
For Android-x86 without EFI support, I wonder if this method courtesy of Tyler Swindell on Youtube would work. This is what he used to get Android-x86 booting on the Surface.
Alright guys, this is the Surface Pro running Android-x86. It was something we all saw coming. Past 2
nights, I have been trying hard to get Android-x86 to run on my Surface Pro since I saw how amazing it
ran on my desktop PC. If it would just boot, I could see just how great Android is on the Surface Pro. So
I got it to boot, and it was just as great as I expected it to be.
So why didn't it boot? I had Secure Boot off. Ubuntu boots, Windows 7 boots. Well what do all these
operating systems have in common? Their installers all include both BIOS and EFI boot loaders. What is
interesting about the Surface Pro is the UEFI chip was designed without legacy BIOS support. There is
no way to boot a BIOS-based boot loader.
I thought about it and how Ubuntu boots. I checked the files and I saw a EFI-based Grub boot loader.
All I had to do was drop in Android's files into an Android directory and add the boot entries. This
worked and Android booted thanks to the EFI-based Grub boot loader.
Everything works except no connectivity, no Wi-Fi or Bluetooth. Also the buttons could have better
functions such as the Windows button or the power button which just brings up a power menu. Overall
it's a great start, it's booting, and the drivers are there for mostly everything. It's fantastic.
This tutorial can be drastically simplified and improved. Keep in mind it was just to get it to work.
1. Download Android-x86 ISO and Ubuntu 12.10 x64 ISO.
2. Format a USB flash drive.
3. Using LiLil USB Creator, copy Ubuntu ISO to flash drive.
4. Create Android directory in flash drive. Extract Android ISO, copy initrd.img, kernel, ramdisk.img,
system.sfs to the Android directory.
5. Modify boot/grub/grub.cfg to add these entries:
submenu "Android" {
menuentry "Android" --class android --class linux --class os {
linux /android/kernel root=/dev/ram0 androidboot.hardware=android_x86 quiet video=1920x1080
dpi=145 i915downclock=1 i915.powersave=1 usbcore.autosuspend=2 SRC=/android/
initrd /android/initrd.img
}
menuentry "Android text output" --class android --class linux --class os {
linux /android/kernel root=/dev/ram0 androidboot.hardware=android_x86 video=1920x1080 dpi=145
i915downclock=1 i915.powersave=1 usbcore.autosuspend=2 SRC=/android/
initrd /android/initrd.img
}
menuentry "Android debug mode" --class android --class linux --class os {
linux /android/kernel root=/dev/ram0 androidboot.hardware=android_x86 video=1920x1080 dpi=145
i915downclock=1 i915.powersave=1 usbcore.autosuspend=2 SRC=/android/ DEBUG=1
initrd /android/initrd.img
}
}
6. Turn off Secure Boot and boot Android. Enjoy.
Click to expand...
Click to collapse
Sent from my DROID BIONIC using Tapatalk
spunker88 said:
For Android-x86 without EFI support, I wonder if this method courtesy of Tyler Swindell on Youtube would work. This is what he used to get Android-x86 booting on the Surface.
Sent from my DROID BIONIC using Tapatalk
Click to expand...
Click to collapse
that might work, forcing android-x86 to boot via grub.. thanks
been using android-ia, which doesn't use grub... uses another efitool, need to play with both android-x86 and android-ia later tonight
paperWastage said:
that might work, forcing android-x86 to boot via grub.. thanks
been using android-ia, which doesn't use grub... uses another efitool, need to play with both android-x86 and android-ia later tonight
Click to expand...
Click to collapse
Picking up on our conversation from SlickDeals.. I actually ended up buying one of these things and I was able to get an external hard drive recognized just by plugged into my usb OTG cable -- in windows. I even tried a USB mouse which worked perfectly.
Deltido said:
Picking up on our conversation from SlickDeals.. I actually ended up buying one of these things and I was able to get an external hard drive recognized just by plugged into my usb OTG cable -- in windows. I even tried a USB mouse which worked perfectly.
Click to expand...
Click to collapse
yeah, my usb otg cable works now in windows (detects flash drive). no idea why it didn;t work before (maybe I unpluged it too early while it was detecting/installing the usb driver?)
got android to boot up, but uglily
need 2 flash drives, and a USB-OTG cable(to be able to connect using the microUSB port)... a USB-hub should work too
(basically, you're piggying back off the ubuntu grub2 bootloader, to load the android kernel and other stuff)
used my (existing & currently working) ubuntu 13.10 x64 bootable USB (made via Rufus, GPT partition with bootia32.efi fix)
copied the contents of android-x86-4.3-20130725.iso into the USB:/android/
modified contents of grub.cfg as per the post by spunker88 with some changes to the resolution
second flash drive had dd if=android-x86-4.3-20130725.iso of=/dev/sdb1
without this second flash drive, the android boot sequence stops at "Detecting Android-x86" and "VFS: could not find a valid V7 on sda1". probably something to do with android/kernel not liking the first drive having FAT instead of ext2/3/4
grub.cfg - add to the end, and select this during grub
Code:
submenu "Android" {
menuentry "Android" --class android --class linux --class os {
linux /android/kernel root=/dev/ram0 androidboot.hardware=x86 video=1366x768 DEBUG=1 SRC=/android/
initrd /android/initrd.img
}
}
boot into USB, then grub, then select android.
android crashes to command line. forcing it to start (type exit twice), leads to the default android start screen, and eventually this
it is SUPER LAGGY. not usable
paperWastage said:
got android to boot up, but uglily
need 2 flash drives, and a USB-OTG cable(to be able to connect using the microUSB port)... a USB-hub should work too
(basically, you're piggying back off the ubuntu grub2 bootloader, to load the android kernel and other stuff)
used my (existing & currently working) ubuntu 13.10 x64 bootable USB (made via Rufus, GPT partition with bootia32.efi fix)
copied the contents of android-x86-4.3-20130725.iso into the USB:/android/
modified contents of grub.cfg as per the post by spunker88 with some changes to the resolution
second flash drive had dd if=android-x86-4.3-20130725.iso of=/dev/sdb1
without this second flash drive, the android boot sequence stops at "Detecting Android-x86" and "VFS: could not find a valid V7 on sda1". probably something to do with android/kernel not liking the first drive having FAT instead of ext2/3/4
grub.cfg - add to the end, and select this during grub
Code:
submenu "Android" {
menuentry "Android" --class android --class linux --class os {
linux /android/kernel root=/dev/ram0 androidboot.hardware=x86 video=1366x768 DEBUG=1 SRC=/android/
initrd /android/initrd.img
}
}
boot into USB, then grub, then select android.
android crashes to command line. forcing it to start (type exit twice), leads to the default android start screen, and eventually this
it is SUPER LAGGY. not usable
Click to expand...
Click to collapse
Progress!!
Although its unusable, it's nice to see android on this device. So what do you think needs to be done to get android usable on this?
costcutter said:
Progress!!
Although its unusable, it's nice to see android on this device. So what do you think needs to be done to get android usable on this?
Click to expand...
Click to collapse
for both ubuntu/android, first steps (since it's booting) is to get the graphics driver working. right now, ubuntu is using fbdev and android is (i think) using efifb... both are running at 800x600 and laggy....
either I fix the VESA bug, or find the correct intel driver for the new Bay Trail IGP and use it
then, install ubuntu/android properly on the device, and then debug the rest (instead of through a live USB where changes would not persist from every reboot)
I'm trying with Fedora 20 alpha, but not much luck so far.
Got the grub2-efi to work with your tutorial (and some digging), but once I start installing Fedora, it seems to freeze.
Gonna try ubuntu over the weekend.
probably the vesa bug as well (if you are trying to install via gui)
attempting to fully install ubuntu on system and boot from it.... the bootia32.efi / bootx64.efi / grubx64.efi is making a mess here...
managed to get Windows Bootloader AND ubuntu grub listed as boot options... grub has problems though, dumps me into grub shell
EDIT: Think it;s easiest for me to try installing EFI Shell, and tinker from there
http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=Efi-shell
EDIT2: For Windows 8 64-bit, the error is "This 64-bit application couldn't load because your PC doesn't have a 64-bit processor"
Looks like we need to enable Virtualization in the UEFI/BIOS... but there isn't such an option (the cpu Z3740 does support VT-x)

Categories

Resources