Possible ways to unlock 8260a-1

[Guest zelea2]

There are 2 very probable working ways to unlock the -1 based CPUs.

88F3BDF8 aAndroidBoot DCB "ANDROID-BOOT!",0

88F3BE06 DCB 0, 0

88F3BE08 var_unlocked DCD 0

88F3BE0C var_tampered DCD 0

88F3BE10 var_reset_cnt DCD 0

Above is the layout of the partition table start; this is a copy from memory.

From what I can see this phone has no real fuses. If you compare the CPU-IDs

which is a number stored at offset 0xDC from base 0x80000930 you have:

00 79 50 E1 CMP R0, R0,LSL#18 "8260a-3"

00 79 10 E1 TST R0, R0,LSL#18 "8260a-1"

Now this might be a coincidence but these numbers also decode as the above ARM

instructions so my guess is that the processor might just have 2 versions of

masked ROM code and they distinguish between them with the comparrison of an

instruction from this ROM (the primary boot).

The "unlocked" variable is a plain flash location. So any method which will write

a non-zero value at offset 0x10 from the flash partition table will unlock your

phone. The "tampered" variable which only has a meaning in RAM is set when the

phone is locked and the kernel doesn't have or doesn't pass the X509 certificate

check.

First possible way to unlock the device is by using this loophole which allows

any phone to boot from an unsigned kernel via the UART_DM protocol. This phone

has a booloader based on lk. (L)ittle (K)ernel based Android bootloader

and when you issue the command 'fastboot boot some.img' you are actually sending

the image via the USB line (UART_DM) and the bootloader happily runs it but

sets the tampered variable. Now if one makes an image and copies just the subroutines

from the leaked fw which do the "oem unlock" and makes a "kernel" image out

of it (with abootimg utility) then runs it with the fastboot command it will

mark the partition as unlocked.

If one wants to trace what the phone is doing at early stages the stock bootloader

also accepts the "oem debug on/off' command which will toogle logging messages in

the misc partition.

This unlock can only happen at the bootloader stage because by the time you have

booted the kernel (or the recovery which is also a kernel) you cannot see the

partition table anymore, just the partitions.

The second obvious mode to unlock the phone is via JTAG. When the phone is

manufactured the flash is blank. The flash is an eMMC device which is a chip

that has both a controller and a flash memory in it which conforms to JEDEC

specifications. So all the JTAG capable devices on the board must be daisy chained

to a JTAG connector. Using a JTAG programmer an knowing the eMMC type one should be

able to read and write any location of the flash. Write a 1 at offset 0x10 and you

are done.

What I said here are just ideas for others to explore. I only have an unlocked "-3"

phone so I don't plan to go any further.

[Guest Deonix]

Thanks for the idea. I will talk to a forum member that knows coding and has a 1 type. Maybe we can crack it. I saw that a hardbrick mode was found in order to flash everything back again to proper use if you let's say installed something that didn't cut it. There are actually 2 reasons why the development on unlocking the bootloader is not working: 1. There are no Acer S500 left in Romania. If you break it and it stills falls to warranty they will not replace it with another S500 but a similar specd phone... which does not exist. 2. We lack developing skills.

[Guest zelea2]

OK, since nobody volunteered for some code writing I did it in the end...

So I've explored method one which seems to work.

Here is what I've done. I have mimicked a kernel image but only

my little ARM code is executed. I have included the sources so you can see I don't do anything sinister.

The bootloader loads the kernel in RAM at address 0x80208000 and passes execution at that address without

erasing itself from memory. I'm searching in the bootloader space the partition table copy, a printf function

and a write_aboot function which actually writes the copy to flash. Once I've found all these I simply let

the bootloader functions do the work and unlock the phone.

There are 2 images included: test-only which only searches for functions and if everything is found it

prints the addresses and some messages; the unlock-cloudmobile is the real thing.

I have already tried it on my phone and it seems to work but my phone is already unlocked.

So just run first 'fastboot boot test-only.img' - this image doesn't change anything in your

phone just prints its status. If all the messages are displayed then you can try the unlock code

with 'fastboot boot unlock-cloudmobile.img' You will have to take the battery out after this because

I haven't bothered to understand how to read buttons or restart the bootloader so I simply halt

the processor once I'm done.

The function search is very generic so this should work on all CloudMobile phones regardless

of CPU or firmware version.

Please report any success and if this works you owe me a beer.

[Guest]

I don't own locked cloudmobile but what you did is awesome man!

[Guest Shreps]

Very good job done here :)

Hope it will help for Locked phone

[Guest Namuhk2k]

I'll try it when I get home, left my usb cable there. Will report back after I try.

If it works just give me a paypal account and you will get a beer, at least from me... ;)

[Guest mausyui]

hello ,i have tryed "fastboot boot test-only.img" from fastboot but it hangs at waiting for device ... should it be something like "fastboot -i 0x0502 boot test-only.img" ?

and count me in for a beer .. :D

Edited June 6, 2013 by mausyui

[Guest davidevinavil]

hello ,i have tryed "fastboot boot test-only.img" from fastboot but it hangs at waiting for device ... should it be something like "fastboot -i 0x0502 boot test-only.img" ?

and count me in for a beer .. :D

what's your operative system on pc?

[Guest mausyui]

w7

[Guest davidevinavil]

sorry didn't read your post fully.. Yes you must type fastboot -i 0x0502 boot boot-what-you-need.img

Edited June 6, 2013 by davidevinavil

[Guest razvankim]

How i flash those images? A tutorial please xD

[Guest zelea2]

You do not flash anything on your phone, just execute some code. On windows you need the -i 0x0502 switch so:

'fastboot -i 0x0502 boot test-only.img'

see if all the functions have an address and it says at the end

'Your phone appears to be ready to be unlocked' then take the battery out

get back in fastboot then

'fastboot -i 0x0502 boot unlock-cloudmobile.img'

and then take the battery out again. At this point your phone should be unlocked.

[Guest mausyui]

i think it worked :)

thanks you !!

Edited June 6, 2013 by mausyui

[Guest razvankim]

Tried. First i runed test-only.img showed me some print dunno.. after i get to the real deal. i flashed unlock-cloudmobile.img ..

After this I ran again test-only.img and there said that Your phone is already unlocked.

So i can flash CM 10?

[Guest razvankim]

I have something like this:

'printf' fond at address 88f146ad

'write_aboot' found at adress 88f12259

Unlocked:1

Tampered: 1

Reset Counter: 0

Your phone is already unlocked

Done

please remove battery and power cycle the phone ( power cycle ? )

[Guest davidevinavil]

Tried. First i runed test-only.img showed me some print dunno.. after i get to the real deal. i flashed unlock-cloudmobile.img ..

After this I ran again test-only.img and there said that Your phone is already unlocked.

So i can flash CM 10?

yes

[Guest razvankim]

Yeah but i tried to flash CWM RRECOVERy and I got a error...

[Guest davidevinavil]

Yeah but i tried to flash CWM RRECOVERy and I got a error...

you can't flash with fastboot

just fastboot -i 0x0502 boot cwm.img

[Guest razvankim]

Oh...and how i can make CWM Recovery to be always there?

I'm a little bit scared to not brick my phone if i flash CM10..there are any chances to brick?

Edited June 6, 2013 by razvankim

[Guest zelea2]

You cannot flash individual partitions on JB. Only the bin container is accepted so you should

use the merged_acer_fw utility I've made to construct a .bin from just the partition you

want to flash. You need to have the correct parameter_list.txt file and the "official" names for

partitions (in this case 'recovery.img')

Your phone is unlocked though.

[Guest davidevinavil]

Oh...and how i can make CWM Recovery to be always there?

I'm a little bit scared to not brick my phone if i flash CM10..there are any chances to brick?

flash cm10 is complete safe.. if don't boot just flash a Acer update.zip you can find it on modaco

[Guest razvankim]

So I can flash without worries CM10?

[Guest davidevinavil]

So I can flash without worries CM10?

Yes

[Guest razvankim]

flashing right now.. letting you know if it works:P

[Guest zelea2]

I'm a little bit scared to not brick my phone if i flash CM10..there are any chances to brick?

There are no chances to brick your phone if you just flash the recovery because recovery is

loaded instead of the linux kernel so your fastboot is still there.

Just get the xxx_1.bin you've used to last flash your system; do a 'merged_acer_fw -x xxx_1.bin'

to extract the parameter_list.txt then only keep that file and rename your CWM recovery as

recovery.img; run again 'merged_acer_fw -c some_name.bin recovery.img' (the parameter file

is included automatically); in the end then just 'fastboot bin some_name.bin' and just

your recovery partition will be flashed.

Edited June 6, 2013 by zelea2