• Announcements

    • Reminder - MoDaCo position on illegal content   07/30/15

      ILLEGAL CONTENT I'd like to just reaffirm MoDaCo's position regarding piracy and illegal content in the light of some recent questions / postings. Posts will be censored by myself or my moderation team if the contain or link to: Illegal / pirated / cracked software or sites that host such softwareNintendo emulators / ROMs or sites hosting them (in light of Nintendo's legal stance)CUSTOM ROMS You may discuss and post links to custom device ROMs on MoDaCo, provided the following rules are adhered to: ROMs must not contain any illegal 3rd party software (this includes trial versions included without permission)ROMs must give full credit to the original authorISSUES If you have any issues with this policy, please contact PaulOBrien directly via PM.
    • Reminder: Selling items on the forum directly is not allowed   07/30/15

      Please note that selling items on the forum directly is not allowed by the forum rules. There is a forum for eBay auctions whereby you can list the items on eBay and link to them there. This is the ONLY forum for this type of activity. You may also advertise links to the eBay forum in your signature. Please note that selling directly in contravention of these rules will result in a warning / suspension / ban.

Possible ways to unlock 8260a-1

59 posts in this topic

Posted · Report post

There are 2 very probable working ways to unlock the -1 based CPUs.

88F3BDF8 aAndroidBoot DCB "ANDROID-BOOT!",0

88F3BE06 DCB 0, 0

88F3BE08 var_unlocked DCD 0

88F3BE0C var_tampered DCD 0

88F3BE10 var_reset_cnt DCD 0

Above is the layout of the partition table start; this is a copy from memory.

From what I can see this phone has no real fuses. If you compare the CPU-IDs

which is a number stored at offset 0xDC from base 0x80000930 you have:

00 79 50 E1 CMP R0, R0,LSL#18 "8260a-3"

00 79 10 E1 TST R0, R0,LSL#18 "8260a-1"

Now this might be a coincidence but these numbers also decode as the above ARM

instructions so my guess is that the processor might just have 2 versions of

masked ROM code and they distinguish between them with the comparrison of an

instruction from this ROM (the primary boot).

The "unlocked" variable is a plain flash location. So any method which will write

a non-zero value at offset 0x10 from the flash partition table will unlock your

phone. The "tampered" variable which only has a meaning in RAM is set when the

phone is locked and the kernel doesn't have or doesn't pass the X509 certificate

check.

First possible way to unlock the device is by using this loophole which allows

any phone to boot from an unsigned kernel via the UART_DM protocol. This phone

has a booloader based on lk. (L)ittle (K)ernel based Android bootloader

and when you issue the command 'fastboot boot some.img' you are actually sending

the image via the USB line (UART_DM) and the bootloader happily runs it but

sets the tampered variable. Now if one makes an image and copies just the subroutines

from the leaked fw which do the "oem unlock" and makes a "kernel" image out

of it (with abootimg utility) then runs it with the fastboot command it will

mark the partition as unlocked.

If one wants to trace what the phone is doing at early stages the stock bootloader

also accepts the "oem debug on/off' command which will toogle logging messages in

the misc partition.

This unlock can only happen at the bootloader stage because by the time you have

booted the kernel (or the recovery which is also a kernel) you cannot see the

partition table anymore, just the partitions.

The second obvious mode to unlock the phone is via JTAG. When the phone is

manufactured the flash is blank. The flash is an eMMC device which is a chip

that has both a controller and a flash memory in it which conforms to JEDEC

specifications. So all the JTAG capable devices on the board must be daisy chained

to a JTAG connector. Using a JTAG programmer an knowing the eMMC type one should be

able to read and write any location of the flash. Write a 1 at offset 0x10 and you

are done.

What I said here are just ideas for others to explore. I only have an unlocked "-3"

phone so I don't plan to go any further.

3

Share this post


Link to post
Share on other sites

Posted · Report post

Thanks for the idea. I will talk to a forum member that knows coding and has a 1 type. Maybe we can crack it. I saw that a hardbrick mode was found in order to flash everything back again to proper use if you let's say installed something that didn't cut it. There are actually 2 reasons why the development on unlocking the bootloader is not working: 1. There are no Acer S500 left in Romania. If you break it and it stills falls to warranty they will not replace it with another S500 but a similar specd phone... which does not exist. 2. We lack developing skills.

0

Share this post


Link to post
Share on other sites

Posted · Report post

OK, since nobody volunteered for some code writing I did it in the end...

So I've explored method one which seems to work.

Here is what I've done. I have mimicked a kernel image but only

my little ARM code is executed. I have included the sources so you can see I don't do anything sinister.

The bootloader loads the kernel in RAM at address 0x80208000 and passes execution at that address without

erasing itself from memory. I'm searching in the bootloader space the partition table copy, a printf function

and a write_aboot function which actually writes the copy to flash. Once I've found all these I simply let

the bootloader functions do the work and unlock the phone.

There are 2 images included: test-only which only searches for functions and if everything is found it

prints the addresses and some messages; the unlock-cloudmobile is the real thing.

I have already tried it on my phone and it seems to work but my phone is already unlocked.

So just run first 'fastboot boot test-only.img' - this image doesn't change anything in your

phone just prints its status. If all the messages are displayed then you can try the unlock code

with 'fastboot boot unlock-cloudmobile.img' You will have to take the battery out after this because

I haven't bothered to understand how to read buttons or restart the bootloader so I simply halt

the processor once I'm done.

The function search is very generic so this should work on all CloudMobile phones regardless

of CPU or firmware version.

Please report any success and if this works you owe me a beer.

3

Share this post


Link to post
Share on other sites

Posted · Report post

I don't own locked cloudmobile but what you did is awesome man!

0

Share this post


Link to post
Share on other sites

Posted · Report post

Very good job done here :)

Hope it will help for Locked phone

0

Share this post


Link to post
Share on other sites

Posted · Report post

I'll try it when I get home, left my usb cable there. Will report back after I try.

If it works just give me a paypal account and you will get a beer, at least from me... ;)

0

Share this post


Link to post
Share on other sites

Posted (edited) · Report post

hello ,i have tryed "fastboot boot test-only.img" from fastboot but it hangs at waiting for device ... should it be something like "fastboot -i 0x0502 boot test-only.img" ?

and count me in for a beer .. :D

Edited by mausyui
0

Share this post


Link to post
Share on other sites

Posted · Report post

hello ,i have tryed "fastboot boot test-only.img" from fastboot but it hangs at waiting for device ... should it be something like "fastboot -i 0x0502 boot test-only.img" ?

and count me in for a beer .. :D

what's your operative system on pc?

0

Share this post


Link to post
Share on other sites

Posted · Report post

w7

0

Share this post


Link to post
Share on other sites

Posted (edited) · Report post

sorry didn't read your post fully.. Yes you must type fastboot -i 0x0502 boot boot-what-you-need.img

Edited by davidevinavil
0

Share this post


Link to post
Share on other sites

Posted · Report post

How i flash those images? A tutorial please xD

0

Share this post


Link to post
Share on other sites

Posted · Report post

You do not flash anything on your phone, just execute some code. On windows you need the -i 0x0502 switch so:

'fastboot -i 0x0502 boot test-only.img'

see if all the functions have an address and it says at the end

'Your phone appears to be ready to be unlocked' then take the battery out

get back in fastboot then

'fastboot -i 0x0502 boot unlock-cloudmobile.img'

and then take the battery out again. At this point your phone should be unlocked.

0

Share this post


Link to post
Share on other sites

Posted (edited) · Report post

i think it worked :)

thanks you !!

Edited by mausyui
0

Share this post


Link to post
Share on other sites

Posted · Report post

Tried. First i runed test-only.img showed me some print dunno.. after i get to the real deal. i flashed unlock-cloudmobile.img ..

After this I ran again test-only.img and there said that Your phone is already unlocked.

So i can flash CM 10?

0

Share this post


Link to post
Share on other sites

Posted · Report post

I have something like this:

'printf' fond at address 88f146ad

'write_aboot' found at adress 88f12259

Unlocked:1

Tampered: 1

Reset Counter: 0

Your phone is already unlocked

Done

please remove battery and power cycle the phone ( power cycle ? )

0

Share this post


Link to post
Share on other sites

Posted · Report post

Tried. First i runed test-only.img showed me some print dunno.. after i get to the real deal. i flashed unlock-cloudmobile.img ..

After this I ran again test-only.img and there said that Your phone is already unlocked.

So i can flash CM 10?

yes
0

Share this post


Link to post
Share on other sites

Posted · Report post

Yeah but i tried to flash CWM RRECOVERy and I got a error...

0

Share this post


Link to post
Share on other sites

Posted · Report post

Yeah but i tried to flash CWM RRECOVERy and I got a error...

you can't flash with fastboot

just fastboot -i 0x0502 boot cwm.img

0

Share this post


Link to post
Share on other sites

Posted (edited) · Report post

Oh...and how i can make CWM Recovery to be always there?

I'm a little bit scared to not brick my phone if i flash CM10..there are any chances to brick?

Edited by razvankim
0

Share this post


Link to post
Share on other sites

Posted · Report post

You cannot flash individual partitions on JB. Only the bin container is accepted so you should

use the merged_acer_fw utility I've made to construct a .bin from just the partition you

want to flash. You need to have the correct parameter_list.txt file and the "official" names for

partitions (in this case 'recovery.img')

Your phone is unlocked though.

0

Share this post


Link to post
Share on other sites

Posted · Report post

Oh...and how i can make CWM Recovery to be always there?

I'm a little bit scared to not brick my phone if i flash CM10..there are any chances to brick?

flash cm10 is complete safe.. if don't boot just flash a Acer update.zip you can find it on modaco

0

Share this post


Link to post
Share on other sites

Posted · Report post

So I can flash without worries CM10?

0

Share this post


Link to post
Share on other sites

Posted · Report post

So I can flash without worries CM10?

Yes

0

Share this post


Link to post
Share on other sites

Posted · Report post

flashing right now.. letting you know if it works:P

0

Share this post


Link to post
Share on other sites

Posted (edited) · Report post

I'm a little bit scared to not brick my phone if i flash CM10..there are any chances to brick?

There are no chances to brick your phone if you just flash the recovery because recovery is

loaded instead of the linux kernel so your fastboot is still there.

Just get the xxx_1.bin you've used to last flash your system; do a 'merged_acer_fw -x xxx_1.bin'

to extract the parameter_list.txt then only keep that file and rename your CWM recovery as

recovery.img; run again 'merged_acer_fw -c some_name.bin recovery.img' (the parameter file

is included automatically); in the end then just 'fastboot bin some_name.bin' and just

your recovery partition will be flashed.

Edited by zelea2
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

MoDaCo is part of the MoDaCo.network, © Paul O'Brien 2002-2015. MoDaCo uses IntelliTxt technology.