Related
Hello all! I have a sad story and an opportunity.
Sad story: I forgot my Universal on top of my car today and when I came around a bend in the road, it was slung out into a highway. The first car dodged it, and the second car aimed for it. I have taken pics. I think ti would have survived the slinging, and I am testing to see if the mainboard survived being ran over.
Opportunity: I'd like to get a new one. I don't mind parts-ing one together either. I am comfortable buying on eBay, and I don't mind it if I have to pay for international shipping, but I'd prefer to buy from the US for quicker delivery time.
I was just about to start really customizing the ROMS and all that too....
Sigh.
I hafe attached pics of the carnage. The microSD card survived. I did pull all of my data off though. Luckily I had done a hard reset las week, so I had all my numbers backed up. The SIM card survived as well, and I am borrowing a phone I gave a firend for the time being.
Wow those are some scarey images! Sorry for your loss, but that needs to be a closed casket funeral...
I've been considering selling my Uni/JasJar, PM me if you're interested in buying a used device with a bit of wear.
Oh my god............
RIP Uni are you trying to disassemble it for some pics of motherboard?
It looks better than I would have thought after being run over. You may be lucky and Mobo may be ok. You can buy replacement screens and casings.
Was it a compact that ran it over ? Cause I really cant see the Uni being that strong?
There are quite a few Uni's going on the UK Ebay anywhere from $200 USD to $80 USD if you are patient enough.
Good luck with finding another!
2 minutes silence for the Uni please......
Status update
I have purchased a B stock unit from eXpansys (the last one they had) for a decent price. Only problem is with the new unit, all I can do is get into the boot loader to see that it is version 1.00, and give it the hard reboot command. The unit appears to respond to the command but does not initiate the hard reset.
Hard reboot command I used: two soft buttons and the reset button.
Bootloader command I used: power, brightness, and reset button.
The bootloader does recognize that the difference between a USB and !USB connection. However, Windows consistently reports that the USB device has malfunctioned.
At first I thought it was a battery issue because the unit looks like it is brand new. So I waited patiently until I got home and tried all of the batteries I have here at the house. Yes, I was wary sticking the battery that was in the unit that was ran over into it, but I did try it. I have tried 3 chargers and two computers, and NADA. The only response I get from the device is using one of the two commands above.
Other random observations:
I tried inserting an old (disconnected but good) SIM card into it. Nada.
The battery was shipped in the battery compartment.
The backlight does work, as does the screen to some degree.
When I first plugged it into the charger, the battery status LED was red, as I anticipated.
The battery status indicator no longer turns red when the unit is plugged in. It does turn red when the battery is removed and power is applied.
Postulations at this point:
I wonder if I could load a ROM image to it?
I wonder if the battery is really charged.
Any and all help will be much appreciated on the matter.
disection
Win_XP said:
RIP Uni are you trying to disassemble it for some pics of motherboard?
Click to expand...
Click to collapse
I have disassembled it already and done some preliminary testing. The power LED does illuminate RED. I have tried attaching a battery and holding it, but hats not producing anything. But then again the screen is cracked like its cool, so I don't know what to expect.
I'll post pics when I get a chance.
beast0898 said:
Was it a compact that ran it over ? Cause I really cant see the Uni being that strong?
There are quite a few Uni's going on the UK Ebay anywhere from $200 USD to $80 USD if you are patient enough.
Good luck with finding another!
Click to expand...
Click to collapse
It was one of those KIA/Mercades/lexus lifted CAR SUV things. They AIMED for it.
I looked on ebay, but I never though to check the UK side. Usually eBay does that for em for some reason....
Situation update
I have had a couple of offers and much sympathy. Thanks!
My unit from expansys is up and running. I was up till 3 am saturday morning playing around with it. I stumbled across a few posts that gave instructions on how to deal with a potentially bricked device. As far as I can figure. my phone was shipped to me without an OS. I knew that PCs could do that, but can you just blank the OS on a phone? I can theoretically see how that might be possible, but why would that happen? Do they not get shipped out with OS's? that baffles me.
The specific process of deduction I used:
read the manual (the service manual from HTC). It said to either reload the ROM or the mobo was defective. I started looking on this forum for the procedures and files neccessary.
It seemed that my phone was not booting, so I looked into the ROM upgradeing/reflashing pages.
Links to pages I found useful:
http://forum.xda-developers.com/announcement.php?f=357
http://forum.xda-developers.com/showthread.php?t=367448
http://wiki.xda-developers.com/
http://wiki.xda-developers.com/index.php?pagename=HTC_Universal
http://wiki.xda-developers.com/index.php?pagename=Flashing Guide
http://wiki.xda-developers.com/index.php?pagename=Uni_ROM_Upgrade
http://wiki.xda-developers.com/inde...consumption measurements of the HTC Universal
http://wiki.xda-developers.com/inde...y car or USB charger! It just doesn't charge!
http://forum.xda-developers.com/showthread.php?t=298613
http://forum.xda-developers.com/showthread.php?t=285435
As you can see, the wiki was quite helpful for me. Thae list above is not inclusive. I thought I had bookmarked all the pages I found helpful, but it did not apepar to be so. I have done much reading on this forum, and I purchased my original Universal over a year ago. I say that to let any newbies know that this is not a simple process and should not be attempted until you have a clear picture of what's going on.
I also tried the set 0 14 procedure, but that sis NOT work in my case.
What finally got me was the imate ROM I have attached to this page. It was able to see my universal, but only when I was in the bootloader. I will say that again because it bears repeating. I put the phone into the bootloader and ONLY THEN could I update the ROM on the device. I found no instructions anywhere on this, I had to figure it out on my own. The way I discovered it though is kinda neat. When I just plugged the phone into my computer, windows would not recognize it and say that it malfunctioned. If I plugged it into my computer with it in the bootloader, I got that nice sound that windows makes when new hardware is found. Also, I tried the Universal RUU and it did not recognize that the phone was attached in either way. Lastly, I first tried the ROM update with the phone not int he bootloader, and the IMATE program didn't see the phone. I tried it with it in the bootloader, and it did its thing.
I have attached a few of the files I found useful. I found these on this site, in some posts.
This is not a formal writeup, so please forgive any grammatical errors or rambling. I just wanted to share what I found.
So I finally just switched the SIM card back into the new phone. I tried to get MMS going, and SAME FRAKKIN thing: small pics. ARGH!!
AllanonMage said:
I have had a couple of offers and much sympathy. Thanks!
My unit from expansys is up and running. I was up till 3 am saturday morning playing around with it. I stumbled across a few posts that gave instructions on how to deal with a potentially bricked device. As far as I can figure. my phone was shipped to me without an OS. I knew that PCs could do that, but can you just blank the OS on a phone? I can theoretically see how that might be possible, but why would that happen? Do they not get shipped out with OS's? that baffles me.
The specific process of deduction I used:
read the manual (the service manual from HTC). It said to either reload the ROM or the mobo was defective. I started looking on this forum for the procedures and files neccessary.
It seemed that my phone was not booting, so I looked into the ROM upgradeing/reflashing pages.
Links to pages I found useful:
http://forum.xda-developers.com/announcement.php?f=357
http://forum.xda-developers.com/showthread.php?t=367448
http://wiki.xda-developers.com/
http://wiki.xda-developers.com/index.php?pagename=HTC_Universal
http://wiki.xda-developers.com/index.php?pagename=Flashing Guide
http://wiki.xda-developers.com/index.php?pagename=Uni_ROM_Upgrade
http://wiki.xda-developers.com/inde...consumption measurements of the HTC Universal
http://wiki.xda-developers.com/inde...y car or USB charger! It just doesn't charge!
http://forum.xda-developers.com/showthread.php?t=298613
http://forum.xda-developers.com/showthread.php?t=285435
As you can see, the wiki was quite helpful for me. Thae list above is not inclusive. I thought I had bookmarked all the pages I found helpful, but it did not apepar to be so. I have done much reading on this forum, and I purchased my original Universal over a year ago. I say that to let any newbies know that this is not a simple process and should not be attempted until you have a clear picture of what's going on.
I also tried the set 0 14 procedure, but that sis NOT work in my case.
What finally got me was the imate ROM I have attached to this page. It was able to see my universal, but only when I was in the bootloader. I will say that again because it bears repeating. I put the phone into the bootloader and ONLY THEN could I update the ROM on the device. I found no instructions anywhere on this, I had to figure it out on my own. The way I discovered it though is kinda neat. When I just plugged the phone into my computer, windows would not recognize it and say that it malfunctioned. If I plugged it into my computer with it in the bootloader, I got that nice sound that windows makes when new hardware is found. Also, I tried the Universal RUU and it did not recognize that the phone was attached in either way. Lastly, I first tried the ROM update with the phone not int he bootloader, and the IMATE program didn't see the phone. I tried it with it in the bootloader, and it did its thing.
I have attached a few of the files I found useful. I found these on this site, in some posts.
This is not a formal writeup, so please forgive any grammatical errors or rambling. I just wanted to share what I found.
So I finally just switched the SIM card back into the new phone. I tried to get MMS going, and SAME FRAKKIN thing: small pics. ARGH!!
Click to expand...
Click to collapse
Hi,
Some of the commands for MTTY are not in the standard bootloader command list, best advice is to supercid your device (this will help in recovery if things go wrong later too) then once supercid is complete, upgrade the Bootloader version and flash a complete Rom to the device, radio, extended and OS in one flash.
All info is in the Wiki mate, if you need any further help, post back to us or PM me.
Glad you got a device back up and running, ca'nt you sue the guy for intentionally hitting your old one................LoL!
Cheers,
Beasty
This is a question for those in the know when it comes to programming.Why isn't there a way to revive a bricked phone? Can't there be some method for a host computer to manually write the radio to the device? How does HTC fix a bricked phone for it to be a refurb?
I'm just very curious about this because I see a few people attempt to update the radio only to lose power and brick their EVO. I have no programming experience so don't know what goes on at the internal component level. Thanks in advance for your input.
It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!
That helped me, thanks.
Soylent Grin said:
It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!
Click to expand...
Click to collapse
Thanks for the info. That is interesting. So how does HTC initially put the bootstrap in and/or how do they handle a bricked phone?
Soylent Grin said:
It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!
Click to expand...
Click to collapse
Thanks good explanation appreciate that.
rafroehlich2 said:
Thanks for the info. That is interesting. So how does HTC initially put the bootstrap in and/or how do they handle a bricked phone?
Click to expand...
Click to collapse
There is probably a JTAG interface somewhere in there. In fact,that's how the original hack of the IPhone was done. (Better ways were since found) Most devices have a quasi standard interface for programming the flash and accessing and the hardware for diagnostics. For instance,linksys routers actually have a spot on the board to solder a header and you can make a cable that connects to the parralel port. Do a google search for "Hairy Dairy Maid Debrick" and you will find it. A similar thing is probobally possible with the Evo (Ive even seen them on Hard Drives and CD Rom drives) The problem is,its not entirely standardized,and it might not even be a connector or pads on the board. It might instead be a matter of knowing where you can connect the leads on the board to something that under the right circumstances BECOMES the JTAG connector. (For instance,a pin that controls something else might be a JTAG interface for the first few hundred milliseconds of start-up,or if a certain other pin of the chip is grounded when the power is applied. It might also be completely internal to the chip,and there be NO connectors on the board (it almost CERTAINLY has the capability,they need it during prototyping) and the chips might be programmed BEFORE they are soldered in. It might take replacing the rom chip to get it to go. There are lots of ifs
Chances are though,the factory has a special cable and a special software program that can reprogram the device. To replicate that might be relatively easy or could be next to impossible but requires a certain degree of knowledge about the hardware. What I suspect is,until someone who has the skills to make such a cable bricks their phone,they wont bother figuring out how to debrick one. In fact,when that person bricks their phone,they will probably take it back to sprint and say "I dont know what happens" In fact,even if its stuck looping in an obviously hacked boot loader he for some odd reason cant undo,hes probably going to send it back to sprint. I know someone who did exactly that to their brand new HP laptop. He found that 15kv from the flyback of an old B&W television applied to the memory slots took care of the looping and Best Buy gave him another one. As he put it "I dont know what happened,but it smells bad and wont boot up"
pflatlyne said:
There is probably a JTAG interface somewhere in there. In fact,that's how the original hack of the IPhone was done. (Better ways were since found) Most devices have a quasi standard interface for programming the flash and accessing and the hardware for diagnostics. For instance,linksys routers actually have a spot on the board to solder a header and you can make a cable that connects to the parralel port. Do a google search for "Hairy Dairy Maid Debrick" and you will find it. A similar thing is probobally possible with the Evo (Ive even seen them on Hard Drives and CD Rom drives) The problem is,its not entirely standardized,and it might not even be a connector or pads on the board. It might instead be a matter of knowing where you can connect the leads on the board to something that under the right circumstances BECOMES the JTAG connector. (For instance,a pin that controls something else might be a JTAG interface for the first few hundred milliseconds of start-up,or if a certain other pin of the chip is grounded when the power is applied. It might also be completely internal to the chip,and there be NO connectors on the board (it almost CERTAINLY has the capability,they need it during prototyping) and the chips might be programmed BEFORE they are soldered in. It might take replacing the rom chip to get it to go. There are lots of ifs
Chances are though,the factory has a special cable and a special software program that can reprogram the device. To replicate that might be relatively easy or could be next to impossible but requires a certain degree of knowledge about the hardware. What I suspect is,until someone who has the skills to make such a cable bricks their phone,they wont bother figuring out how to debrick one. In fact,when that person bricks their phone,they will probably take it back to sprint and say "I dont know what happens" In fact,even if its stuck looping in an obviously hacked boot loader he for some odd reason cant undo,hes probably going to send it back to sprint. I know someone who did exactly that to their brand new HP laptop. He found that 15kv from the flyback of an old B&W television applied to the memory slots took care of the looping and Best Buy gave him another one. As he put it "I dont know what happened,but it smells bad and wont boot up"
Click to expand...
Click to collapse
Wow. Thanks for the detailed answer. Too bad this isn't a standardized item. I hope eventually things progress enough where this isn't even a thought. Thanks again for the good response.
Sent from my PC36100
rafroehlich2 said:
Wow. Thanks for the detailed answer. Too bad this isn't a standardized item. I hope eventually things progress enough where this isn't even a thought. Thanks again for the good response.
Sent from my PC36100
Click to expand...
Click to collapse
Yea,it would be nice if it were. Its kinda sorta quasi standard,so it HAS been done in some cases where its necessary,but often there are easier ways around it. Personally, I have allways thought that its a pretty stupid thing to make a piece of equipment that can fail due to a bad flash. The people who designed many of the flash memory chips seemed to agree,and they added something called a "boot block" to many,but the way its implemented,when its implemented doesn't fully protect you from a bad flash. Its even worse now that everything is in ball grid array chips soldered down to the board.
Hello there, my droid incredible 2 has a faulty USB port, it accepts charge but it will not connect to any computer with any cable.
I recieved a replacement from verizon, however i cannot use the ADB commands Jcase posted to restore S-ON due to my broken port
does anyone have any ideas or experience with this situation? Any help would be greatly appreciated
-zax
Zax_Was_Here said:
Hello there, my droid incredible 2 has a faulty USB port, it accepts charge but it will not connect to any computer with any cable.
I recieved a replacement from verizon, however i cannot use the ADB commands Jcase posted to restore S-ON due to my broken port
does anyone have any ideas or experience with this situation? Any help would be greatly appreciated
-zax
Click to expand...
Click to collapse
maybe if u can hook sd card to comp.
I think I read somewhere in the DIncI forum about running ADB through WiFi and doing console commands.
Not sure how it worked out tho.
When I got my first DIncII, The cable was a mother to pull out so I went to VZW corp store and they gave me a new cable.
Have you tried different cables/PCs?
Have you tried ##3424# send? You need a sense based ROM to use that, but it should get you into DIAG mode to use ADB with minimal OS interference.
The port its connected with a ribbon cable so try with back off holding the port in different positions.
Applying slight force in different directions and holding it there.
Maybe poster putty would help to lock it to that position long enough to achieve the ADB.
Good luck.
im experiencing the same issue, i cannot get my computer to recognize the phone after trying multiple cables. wireless abd seems to require root access to get it working and i have already restored to unrooted 2.2. how thorough does verizon check phones they receive back? will they notice an unlocked bootloader?
Not sure if Verizon will have the phone long enough to care - do they check returned phones or just forward them to HTC for the standard refurbishing process?
The USB/charging port just went in our 6-month old Incredible 2, and it's only now that I've found threads at Verizon's website of many others complaining about this model having a chronic issue with this portion of its hardware. So, I guess we'll have to expect more refurbished replacements until the two-year contract is due. Disappointing, especially in light of how well it operates when the port is working as expected.
- ooofest
I ended up just screaming and holding the USB cable at an obscure angle to restore the connection
As for the wireless ADB and over tcp and whatnot, so far what i've found has only been theoretical, nobody has posted anything about it working in reality, and this stuff is far beyond my knowledge
Hello! Been lurking for a while and just finally decided to post.
A little background: My first Kindle Fire 2 was rooted just fine. Everything worked for several months, then the screen went bad. Called Amazon and got a replacement sent over. The night I received said replacement, I decided that I wanted to try the 2nd bootloader + TWRP and install CyanogenMod. Unfortunately, I missed the part about reverting back to the older version of the bootloader before patching. Oops.
TLDR; Bricked KF2.
That brings me to the main focus of this topic: After reading a plethora of threads stating that there was no way to fix a bricked KF2 with the USB, I began thinking... Theoretically speaking, couldn't the e-MMC be accessed if it was taken out and mounted to an e-MMC to USB? This would allow reflashing the partitions and (hopefully) returning it to an unbricked state. Of course, that means remounting the e-MMC to the KF2 motherboard, but you can do wonders with a stencil, some solder paste, and a toaster oven, it seems.
Then, while searching for a good e-MMC to USB adapter, I stumbled across a very intriguing thread on hacking TomToms' NAV3 where the e-MMC is left on the device and wired to a MMC USB reader. Page 36 and 37 are the useful bits. (I can't post links yet, so this is the best to demonstrate): mobilescommunity.com/tomtom-discussions/178770-nav3-cracking-patching-copying-navcore-v10-v11-v12-36.html
At this point, I'm just waiting on an old, broken KF1 to arrive to track down where the leads go and possible solder points. I'll keep you posted as things progress.
Any comments, thoughts, suggestions?
P.S. I have a feeling that this would be better suited in the development forum, but as I am new, I can't post there. Assuming that this crazy idea actually works, (and considering that I'll probably have ten posts by then), I'll likely post a clean guide over on that forum.
i had my already taken apart cause of a broken screen, and one is for sure, there was no e-MMC or anything that you could take out and put into an adapter :\
I think you are not out of luck! Are you getting a red screen or is evrything dead?
Completely dead.
...and there is an e-MMC. On my KF2, it was under a piece of foam. If you look at it like you just took off the back cover (without moving the motherboard) from the bottom (the side with the usb port) it's on the right lower portion of the motherboard. It's a Samsung chip, KLM8G2FE3B-B001. There's also a line of solder points just below it. It looks like a decent number of the pins (which we can't see because it's a surface mount) go to that bank of solder points.
Since I still can't post real links/pictures: tinypic.com/r/20hppw5/5
Image credit: iFixit.
That picture is the motherboard from a KF1, but it's in the same location. It's the chip outlined in red.
Just a little update... Have a junk motherboard, the e-MMC is off, now I'm just tracking down where the pins go and possible solder points. It looks like the motherboard has exposed pads that will work well for soldering (my guess is they were originally access points for board/component testing?). I'll post again when I have more info.
Another update: I've tracked down solder points for DAT0-7, CMD, and CLK. I just need to track down the voltage (Vcc and Vss) and grounds (VccQ and VssQ). After that, I'll have pictures with it labelled. Then I need to work on soldering to said points and attaching them to a MMC reader, and praying that it works.
Hmm well if you can get your PC to recognize the emmc, with what I'm assuming is going to be Linux because of the fact the filesystem is ext4 on kindles last I checked, I'm curious if the modules that Linux have will recognize the device. If it does I wonder if u can simply use dd to flash the messed up partitions with the correct signed replacements. I wish I had your solder skills... I need a new tip for mine but I'm too lazy to go out and get one, much less do soldering on a kindle motherboard. If this works u could offer repair services to people, because I doubt most people would attempt this. I find this thread very interesting!
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
Then good luck to you!
Hopefuly we will have an unbrick method...
Finished tracking down solder points. Attached are some pictures with them labelled. I'll be working on the actual soldering and connecting it to my computer in the next few days here as my mini-vacation is over and I have to go back to work tonight.
So! I have good news. I soldered everything together and plugged it in. Ubuntu auto-mounted all the partitions from the e-MMC! I'll post pictures on Friday as I'm about to take a nap before spending the next 24 hours at work.
I have a couple minutes on break, so I'm uploading a screenshot of Ubuntu with the partitions mounted. All my pictures of the board/SD card reader and solder job are on my camera at home, so I'll post those later.
Note: The partitions are on the bottom left of the window, the 17 MB one through the 929 MB one. Once I track down which one is the boot partition, I'm going to rewrite it with the original boot image and pray that has fixed the problem.
Wow this is awesome, I am very impressed at this. Now to just use dd to shove the boot loader down the emmc's throat. I wonder does linux recognize the fact that any of the partitions are signed in like gparted under a partitions properties? Not sure if u have gparted installed, probably have to install it from the repos. Also kinda curious about the partition layout as to how everything is ordered on the emmc, as gparted shows.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
stunts513 said:
Wow this is awesome, I am very impressed at this.
Click to expand...
Click to collapse
Thanks! Assuming this works, I'm thinking of designing a solder-less device to make all the connections. Soldering to those tiny pads on the motherboard was a pain!
stunts513 said:
I wonder does linux recognize the fact that any of the partitions are signed in like gparted under a partitions properties?
Click to expand...
Click to collapse
Is it the partition itself that's signed, or the boot files?
stunts513 said:
Also kinda curious about the partition layout as to how everything is ordered on the emmc, as gparted shows.
Click to expand...
Click to collapse
That's a really good idea. I'll make sure to take a screenshot of the partitions in gparted when I have a chance to work on it some more on Friday.
From what I understand not all, but some of the partitions are signed, like the boot loader, they have a 64kb signature in the partitions header if I remember correctly. That's also the reason we can't fix the device when we brick the boot loader, because these things show up as omap devices and we have the means to use that device and try to fix it, but we can't fix it because the initial file it loads up has to be signed. Your fix is kinda unorthodox, but hey, whatever works.:thumbup:bet amazon didn't think people would go this far to fix it. Heck technically if this works you could probably root it in this manor even if an exploit wasn't viable. Anyways for more I to on what I was talking about read q2, q3, and q4 of this post: http://forum.xda-developers.com/showthread.php?t=2228539
I personally want to look into why we can't just hex edit a image that's unsigned to clone a signed images signature, but I don't feel like opening up 2 huge files in a hex editor to compare the differences to see how the signature is in the file, not to me took that would be next to impossible I think since it would be difficult to try to make a partition exactly like the one on the kindle minus a signature (because even if u copied the files over, they wouldn't necessarily be in the stored in the exact same sectors of a partition), making it even more complicated for me to see the actual signature. Soupemagnet said this is impossible to do already and he knows what he's talking about so i seriously doubt I could do this.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
stunts513 said:
I personally want to look into why we can't just hex edit a image that's unsigned to clone a signed images signature, but I don't feel like opening up 2 huge files in a hex editor to compare the differences to see how the signature is in the file
Click to expand...
Click to collapse
I'd venture an (un)educated guess that TI considered this sort of tampering and the header is essentially an encrypted checksum for the image. That would make sense when you consider the need for proprietary software to "generate" a signed header.
An interesting idea while we're going down this road... I'd think the only thing that prevents us from brute-forcing (through trial and error) our way to some sort of method of generating the signed headers is that an attempt could only be made once (assuming an incorrect algorithm) before you'd end up with a paperweight, meaning up until now you'd need a LOT of Kindles to even hope to get close; however, assuming that what I'm working on works to restore the KF2 to functioning, one could rig up a port to reflash the image (with a header generated with a new algorithm each time) until either you wore out the e-MMC or you managed upon one that worked.
Perhaps we could run the idea by soupmagnet and see what he thinks?
Yea that's an interesting idea, I have no idea how u could generate headers to try to forge what the kindle has though, and I'm assuming if it is a 64kb signature, that is a huge amount of combinations. I'm assuming figuring out how to make a signed image is similar to how some key generators are made that take a activation code and spit put another code for you to use. Though I have no idea how they figure out the common denominators for making a code based on such. Its one thing in simple math but to do it to strings of letters and numbers is beyond me. Luckily we have several partitions for reference, if it was just one we'd be pretty screwed, assuming I have any idea what I'm talking about. Feel free to run the idea by him, I chatted with him before a little about something like this in some PM's.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
kurohyou said:
I'd venture an (un)educated guess that TI considered this sort of tampering and the header is essentially an encrypted checksum for the image. That would make sense when you consider the need for proprietary software to "generate" a signed header.
An interesting idea while we're going down this road... I'd think the only thing that prevents us from brute-forcing (through trial and error) our way to some sort of method of generating the signed headers is that an attempt could only be made once (assuming an incorrect algorithm) before you'd end up with a paperweight, meaning up until now you'd need a LOT of Kindles to even hope to get close; however, assuming that what I'm working on works to restore the KF2 to functioning, one could rig up a port to reflash the image (with a header generated with a new algorithm each time) until either you wore out the e-MMC or you managed upon one that worked.
Perhaps we could run the idea by soupmagnet and see what he thinks?
Click to expand...
Click to collapse
Let's say you are able to restore the device every time you brick it. In order for brute force to work, you would need to be able to flash the image, attempt to boot, restore the device when it fails, create a new disk.img while somehow generating a new signature for it, flash that one, etc....and it all has to be done automatically.
Putting that aside for a moment, there's a lot of speculation online about how long it will actually take to brute force just a simple 128bit encryption key. I've seen everything from several years to several hundred years. Multiply that by about 500 and you'll have an idea of the amount of time it would take to brute force a 64Kb signature, and that's without having to repack, flash, restore, etc. for every single iteration....so I highly doubt a brute force attack is even feasible in this situation.
You should probably just focus on getting the device restored so you can have yourself a little side business of restoring hard bricked 2nd generation Kindle Fires...although, it would be extremely nice if you shared with the community how you were able to do so...if you are ever successful that is.
soupmagnet said:
Let's say you are able to restore the device every time you brick it. In order for brute force to work, you would need to be able to flash the image, attempt to boot, restore the device when it fails, create a new disk.img while somehow generating a new signature for it, flash that one, etc....and it all has to be done automatically.
Click to expand...
Click to collapse
Sounds like a lot of work; although, I didn't expect anything less.
soupmagnet said:
Putting that aside for a moment, there's a lot of speculation online about how long it will actually take to brute force just a simple 128bit encryption key. I've seen everything from several years to several hundred years. Multiply that by about 500 and you'll have an idea of the amount of time it would take to brute force a 64Kb signature, and that's without having to repack, flash, restore, etc. for every single iteration....so I highly doubt a brute force attack is even feasible in this situation.
Click to expand...
Click to collapse
What, you're telling me that cracking the encryption in a few million years from now wouldn't be useful?
It probably didn't help that in my sleep-deprived state last night, I failed to differentiate between 64kb and 64bit. Oops.
soupmagnet said:
You should probably just focus on getting the device restored
Click to expand...
Click to collapse
That's always been the focus, but I also figured that while we're here discussing things (and with confirmed access to the e-MMC now), why stop with just the basic restore to working when there's the possibility of more?
soupmagnet said:
although, it would be extremely nice if you shared with the community how you were able to do so...if you are ever successful that is.
Click to expand...
Click to collapse
Of course I'm going to share! As soon as I finish the last few steps here and confirm that it's working, I'm going to post a guide over on the Development forum. I don't know how many people will be comfortable with the soldering part, though. It was a beast trying to solder to the motherboard. I do plan on trying to develop a solderless method, probably by fabricating a board that connects to all the important points and secures to the motherboard itself (probably using the screw holes).
Some more images, now that I'm home.
Here's what everything looks liked when it's soldered together:
Here it is connected to the computer:
...and finally, a screenshot of the partitions in gparted:
Sweet, didn't realize how many partitions the kindle had. So now all we need to figure out is which partition of those is the bootloader partition, so u can try flashing the boot loader with the dd command. Might I suggest backing up the entire emmc device with dd instead of just some of the partitions? Also was wondering if all goes well, if the kfhd's emmc pin layout is the same, be nice if a solderless bolt on version could be truly "universal" for all kindles, shape wise it wouldn't be a problem as long as the bolt-on-board has multiple hole configurations.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
About a year and a half ago, I royally screwed up my Kindle. I managed to wipe the entire system and possibly the bootloader (not sure). This was back when the device was still being supported, but activity was waning. I was at the time having trouble with the "battery drained so low, I ain't turnin' on no mo" issue. Fast forward to yesterday. I started fiddling around with it, eventually got it to boot back up to Kindle Fire splash. Nothing past that, just would hang. I then left it plugged in over night (since it seemed a miracle it even powered up) to try some more today. At this point, I tried holding the power button while powering on and it somehow got itself into TWRP! "Woohoo!" I exclaim. I'm set! I can just mount USB, put on a ROM, flash it and we're good to go!
But alas, not so. For when I select "Mount USB" a blank F:\ drive shows up in my computer. No access, can't load a ROM. Still just a well loved brick. ADB also not working (and I got ADB working for my Amazon Fire crap-tab just a few days ago, so I don't think it's that). Good old Online/Unknown shows up.
I've done some digging around, found a person or two out there who's had a similar problem, but most go unsolved. Or the ones that do have no mention of a solution or worse yet, they link to solutions or downloads that are since abandoned.
I'm not looking for anything fancy. This tablet is on it's way (should it survive, that is) to becoming only a study tool for my girlfriend in law school. All it has to do is get online and be able to read pdfs (tragically, the very things it could do before it's life of rooting and roming that did it in).
It's a tale of hubris and neglect, but also of triumph, hopefully. I'm happy to provide any details that may help (TWRP is currently v2.7.1.0, at the boot menu, something in the corner says v2.05). I'm working on a laptop with Windows 10, but I also have one that has 7 and is getting a dual boot for Ubuntu installed as we speak. Anyone willing to help out, I would be forever in your debt. Well, depending on how much you help that is. Maybe just a week in your debt if you're just telling me to give up.
Thanks to anyone who can lend a hand or even just read this whole tale. Thanks.