Jump to content


Photo

Possible ways to unlock 8260a-1

- - - - -

  • Please log in to reply
58 replies to this topic

#1
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
There are 2 very probable working ways to unlock the -1 based CPUs.

88F3BDF8 aAndroidBoot DCB "ANDROID-BOOT!",0
88F3BE06 DCB 0, 0
88F3BE08 var_unlocked DCD 0
88F3BE0C var_tampered DCD 0
88F3BE10 var_reset_cnt DCD 0

Above is the layout of the partition table start; this is a copy from memory.
From what I can see this phone has no real fuses. If you compare the CPU-IDs
which is a number stored at offset 0xDC from base 0x80000930 you have:
00 79 50 E1 CMP R0, R0,LSL#18 "8260a-3"
00 79 10 E1 TST R0, R0,LSL#18 "8260a-1"
Now this might be a coincidence but these numbers also decode as the above ARM
instructions so my guess is that the processor might just have 2 versions of
masked ROM code and they distinguish between them with the comparrison of an
instruction from this ROM (the primary boot).

The "unlocked" variable is a plain flash location. So any method which will write
a non-zero value at offset 0x10 from the flash partition table will unlock your
phone. The "tampered" variable which only has a meaning in RAM is set when the
phone is locked and the kernel doesn't have or doesn't pass the X509 certificate
check.

First possible way to unlock the device is by using this loophole which allows
any phone to boot from an unsigned kernel via the UART_DM protocol. This phone
has a booloader based on lk. (L)ittle (K)ernel based Android bootloader
and when you issue the command 'fastboot boot some.img' you are actually sending
the image via the USB line (UART_DM) and the bootloader happily runs it but
sets the tampered variable. Now if one makes an image and copies just the subroutines
from the leaked fw which do the "oem unlock" and makes a "kernel" image out
of it (with abootimg utility) then runs it with the fastboot command it will
mark the partition as unlocked.
If one wants to trace what the phone is doing at early stages the stock bootloader
also accepts the "oem debug on/off' command which will toogle logging messages in
the misc partition.
This unlock can only happen at the bootloader stage because by the time you have
booted the kernel (or the recovery which is also a kernel) you cannot see the
partition table anymore, just the partitions.

The second obvious mode to unlock the phone is via JTAG. When the phone is
manufactured the flash is blank. The flash is an eMMC device which is a chip
that has both a controller and a flash memory in it which conforms to JEDEC
specifications. So all the JTAG capable devices on the board must be daisy chained
to a JTAG connector. Using a JTAG programmer an knowing the eMMC type one should be
able to read and write any location of the flash. Write a 1 at offset 0x10 and you
are done.

What I said here are just ideas for others to explore. I only have an unlocked "-3"
phone so I don't plan to go any further.

  • 3

#2
Deonix

Deonix

    Newbie

  • Members
  • Pip
  • 18 posts
  • Devices:Motorola Defy, Acer S500
Thanks for the idea. I will talk to a forum member that knows coding and has a 1 type. Maybe we can crack it. I saw that a hardbrick mode was found in order to flash everything back again to proper use if you let's say installed something that didn't cut it. There are actually 2 reasons why the development on unlocking the bootloader is not working: 1. There are no Acer S500 left in Romania. If you break it and it stills falls to warranty they will not replace it with another S500 but a similar specd phone... which does not exist. 2. We lack developing skills.

  • 0

#3
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
OK, since nobody volunteered for some code writing I did it in the end...
So I've explored method one which seems to work.

Here is what I've done. I have mimicked a kernel image but only
my little ARM code is executed. I have included the sources so you can see I don't do anything sinister.
The bootloader loads the kernel in RAM at address 0x80208000 and passes execution at that address without
erasing itself from memory. I'm searching in the bootloader space the partition table copy, a printf function
and a write_aboot function which actually writes the copy to flash. Once I've found all these I simply let
the bootloader functions do the work and unlock the phone.

There are 2 images included: test-only which only searches for functions and if everything is found it
prints the addresses and some messages; the unlock-cloudmobile is the real thing.

I have already tried it on my phone and it seems to work but my phone is already unlocked.
So just run first 'fastboot boot test-only.img' - this image doesn't change anything in your
phone just prints its status. If all the messages are displayed then you can try the unlock code
with 'fastboot boot unlock-cloudmobile.img' You will have to take the battery out after this because
I haven't bothered to understand how to read buttons or restart the bootloader so I simply halt
the processor once I'm done.

The function search is very generic so this should work on all CloudMobile phones regardless
of CPU or firmware version.

Please report any success and if this works you owe me a beer.

  • 3

#4
paugustin

paugustin

    Enthusiast

  • Members
  • PipPipPip
  • 157 posts
  • Gender:Male
  • Devices:Acer Liquid E2
  • Twitter:@acerclubfr
I don't own locked cloudmobile but what you did is awesome man!

  • 0

#5
Shreps

Shreps

    Regular

  • Members
  • PipPip
  • 55 posts
  • Gender:Male
  • Devices:Samsung GT-i9100 & Acer S500
  • Twitter:@shr3ps
Very good job done here :)
Hope it will help for Locked phone

  • 0

#6
Namuhk2k

Namuhk2k

    Newbie

  • Members
  • Pip
  • 28 posts
  • Gender:Male
  • Location:Cluj-Napoca
  • Devices:Acer CloudMobile S500
I'll try it when I get home, left my usb cable there. Will report back after I try.
If it works just give me a paypal account and you will get a beer, at least from me... ;)

  • 0

#7
mausyui

mausyui

    Newbie

  • Members
  • Pip
  • 3 posts
  • Devices:S500
hello ,i have tryed "fastboot boot test-only.img" from fastboot but it hangs at waiting for device ... should it be something like "fastboot -i 0x0502 boot test-only.img" ?
and count me in for a beer .. :D

Edited by mausyui, 06 June 2013 - 10:55 AM.

  • 0

#8
davidevinavil

davidevinavil

    Hardcore

  • Members
  • PipPipPipPipPipPip
  • 1,005 posts
  • Gender:Male
  • Location:Crevoladossola (VB)
  • Devices:Acer Liquid Metal

hello ,i have tryed "fastboot boot test-only.img" from fastboot but it hangs at waiting for device ... should it be something like "fastboot -i 0x0502 boot test-only.img" ?
and count me in for a beer .. :D

what's your operative system on pc?

  • 0
If you like my work, offer me a beer

#9
mausyui

mausyui

    Newbie

  • Members
  • Pip
  • 3 posts
  • Devices:S500
w7

  • 0

#10
davidevinavil

davidevinavil

    Hardcore

  • Members
  • PipPipPipPipPipPip
  • 1,005 posts
  • Gender:Male
  • Location:Crevoladossola (VB)
  • Devices:Acer Liquid Metal
sorry didn't read your post fully.. Yes you must type fastboot -i 0x0502 boot boot-what-you-need.img

Edited by davidevinavil, 06 June 2013 - 11:15 AM.

  • 0
If you like my work, offer me a beer

#11
razvankim

razvankim

    Diehard

  • Members
  • PipPipPipPip
  • 409 posts
  • Gender:Male
  • Location:Sibiu
  • Interests:Developing
  • Devices:Samsung Galaxy SIII I9300
  • Twitter:@none
How i flash those images? A tutorial please xD

  • 0
Cheers | Hit THANKS if I helped you.
razvankim@MoDaCo

#12
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
You do not flash anything on your phone, just execute some code. On windows you need the -i 0x0502 switch so:

'fastboot -i 0x0502 boot test-only.img'

see if all the functions have an address and it says at the end
'Your phone appears to be ready to be unlocked' then take the battery out
get back in fastboot then

'fastboot -i 0x0502 boot unlock-cloudmobile.img'

and then take the battery out again. At this point your phone should be unlocked.

  • 0

#13
mausyui

mausyui

    Newbie

  • Members
  • Pip
  • 3 posts
  • Devices:S500
i think it worked :)

thanks you !!

Edited by mausyui, 06 June 2013 - 11:27 AM.

  • 0

#14
razvankim

razvankim

    Diehard

  • Members
  • PipPipPipPip
  • 409 posts
  • Gender:Male
  • Location:Sibiu
  • Interests:Developing
  • Devices:Samsung Galaxy SIII I9300
  • Twitter:@none
Tried. First i runed test-only.img showed me some print dunno.. after i get to the real deal. i flashed unlock-cloudmobile.img ..
After this I ran again test-only.img and there said that Your phone is already unlocked.

So i can flash CM 10?

  • 0
Cheers | Hit THANKS if I helped you.
razvankim@MoDaCo

#15
razvankim

razvankim

    Diehard

  • Members
  • PipPipPipPip
  • 409 posts
  • Gender:Male
  • Location:Sibiu
  • Interests:Developing
  • Devices:Samsung Galaxy SIII I9300
  • Twitter:@none
I have something like this:

'printf' fond at address 88f146ad
'write_aboot' found at adress 88f12259

Unlocked:1
Tampered: 1
Reset Counter: 0

Your phone is already unlocked

Done
please remove battery and power cycle the phone ( power cycle ? )

  • 0
Cheers | Hit THANKS if I helped you.
razvankim@MoDaCo

#16
davidevinavil

davidevinavil

    Hardcore

  • Members
  • PipPipPipPipPipPip
  • 1,005 posts
  • Gender:Male
  • Location:Crevoladossola (VB)
  • Devices:Acer Liquid Metal

Tried. First i runed test-only.img showed me some print dunno.. after i get to the real deal. i flashed unlock-cloudmobile.img ..
After this I ran again test-only.img and there said that Your phone is already unlocked.

So i can flash CM 10?

yes

  • 0
If you like my work, offer me a beer

#17
razvankim

razvankim

    Diehard

  • Members
  • PipPipPipPip
  • 409 posts
  • Gender:Male
  • Location:Sibiu
  • Interests:Developing
  • Devices:Samsung Galaxy SIII I9300
  • Twitter:@none
Yeah but i tried to flash CWM RRECOVERy and I got a error...

  • 0
Cheers | Hit THANKS if I helped you.
razvankim@MoDaCo

#18
davidevinavil

davidevinavil

    Hardcore

  • Members
  • PipPipPipPipPipPip
  • 1,005 posts
  • Gender:Male
  • Location:Crevoladossola (VB)
  • Devices:Acer Liquid Metal

Yeah but i tried to flash CWM RRECOVERy and I got a error...

you can't flash with fastboot
just fastboot -i 0x0502 boot cwm.img

  • 0
If you like my work, offer me a beer

#19
razvankim

razvankim

    Diehard

  • Members
  • PipPipPipPip
  • 409 posts
  • Gender:Male
  • Location:Sibiu
  • Interests:Developing
  • Devices:Samsung Galaxy SIII I9300
  • Twitter:@none
Oh...and how i can make CWM Recovery to be always there?

I'm a little bit scared to not brick my phone if i flash CM10..there are any chances to brick?

Edited by razvankim, 06 June 2013 - 11:55 AM.

  • 0
Cheers | Hit THANKS if I helped you.
razvankim@MoDaCo

#20
zelea2

zelea2

    Newbie

  • Members
  • Pip
  • 25 posts
  • Devices:Acer S500
You cannot flash individual partitions on JB. Only the bin container is accepted so you should
use the merged_acer_fw utility I've made to construct a .bin from just the partition you
want to flash. You need to have the correct parameter_list.txt file and the "official" names for
partitions (in this case 'recovery.img')

Your phone is unlocked though.

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users