Jump to content

The San Diego hacking topic - root progress etc.

Guest PaulOBrien

By Guest PaulOBrien
in Orange San Diego Development

 Share

Recommended Posts

  • Replies 1.7k
  • Created
  • Last Reply

Popular Days

Popular Days

Popular Posts

Guest PaulOBrien
Guest PaulOBrien

OK folks, so here's a round up of my findings on hacking the San Diego so far (with a view to getting root and perhaps ICS). If you have anything to add, please post below! Updated By Ricky Wy

Guest Rem1x
Guest Rem1x

Oh, it'll run ICS impressively. But don't take getting VID/PID as getting close, that's just like reading the back of your orange juice and finding out the oranges were made in Florida :P

Guest glossywhite
Guest glossywhite

Is that ORANGE part supposed to rub our faces in it? haha! :D

Posted Images

Guest ben1066

Guest ben1066

Posted
Posted (edited)

Looking at the updater-script fairly sure the IFWI is the whole IFWI.zip


intel.write_IFWI_BIN("Firmware/IFWI.zip", 3);

intel.wipe_partition("/logs");
As far as I can see the IFWI seems to be the bootloader or something, if we can flash the engineering IFWI we may be able to get around the brick on flash issue. That said the radio has some references to security, so the wall could be there, and we don't have the engineering radio: 


---------------------------DESCRIPTION OF DEFINES-----------------------------

------------------NOT WHAT THE CODE IS ACTUALLY COMPILED WITH-----------------


DEFAULT_UNLOCKED                  # Initial state of sec layer is unlocked

FULL_DOWNLOAD_HASH_CHECK          # Perform full hash check after download

EEP_DOWNLOAD_HASH_CHECK           # Also check hash of static eep

SECURITY_EPOCH_CHECK_ON           # Must test security epoch

SEC_ENABLED                       # Enable the security layer

ALLOW_SKIP_VERSION_CHECK          # Allow skip of version check

UPDATE_WITH_SAME_VERSION_ALLOWED  # Allow reprogramming of same version

EBL_SEC_VERSION=1           # Define version (epoch) of the security layer

IFX_KEYS                          # Use Infineon keys

CUST_KEYS                         # Use Customer keys


#platform related defines


XGOLD618                           # Platform

UTA_PLATFORM_XMM6180               # UTA platform

SERIAL_USIF1                       # Only compile with USIF support

BOOTCORE                           #

EBL_RAM                            # Target is EBL

CRYPTO_SGOLD_SW                    # Use software crypto 

CRYPTO_SGOLD_HW                    # Use hardware crypto 

C_DEFINES += CHIP_REV_ES2          # Used to switch between ES1 and ES2 hw



EBL_MAJOR_VER=10         # Ebl major version

EBL_MINOR_VER=0             # Ebl minor version     


-------------------------------------------------------------------------------

-------------------------------------------------------------------------------





-D __HWREG_INLINE__="static __inline" --cpu ARM1176JZ-S --apcs /interwork -c -g --bss_threshold=0 --enum_is_int -O0 --unix_depend_format

-D PSI_ENHANCED_RPSI_PROTOCOL

-D SECURITY_LEVEL_CERTIFICATE

-D SEC_ENABLED

-D EXTRAM_SELFTEST

-D Nymonyx_LPDDR_SDRAM_256

-D RAM_EBU_CLK_195M_ASYNC

-D ROM_Nymonyx_Flash_ADMUX_512

-D ROM_Nymonyx_Flash_AADMUX_512

-D ROM_Spansion_Flash_AADMUX_S29XS256R

-D ROM_Samsung_Flash_ADMUX_512

-D XGOLD626

-D PROJECTNAME=OCEAN

-D BOARD_OCEAN

-D UTA_PLATFORM_XMM6260

-D BOARD_OCEAN_MODEM

-D BOOT_INTERFACE_NOR

-D BOOTCORE

-D ALLOW_SKIP_VERSION_CHECK

-D UPDATE_WITH_SAME_VERSION_ALLOWED

-D EBL_SEC_VERSION=1

-D SEC_PACK_VALIDATION

-D EBL_RAM

-D IFX_KEYS

-D EBL_DEBUG

-D EPOCH=1

-D EBL_MAJOR_VER=20

-D EBL_MINOR_VER=21

-D PROJECT_VERSION_NAME=SUNRISE

-D EBL_RAM

-D INCLUDE_EBU_SETUP_DATA

-D INCLUDE_CFI_SETUP_DATA

-D SEC_ENABLED

-D PCL_EBU_MUX_PRESENT

-D SEC_PACK_VALIDATION

-D SERIAL_MIPI_HSI

-D SERIAL_USIF1

-D SERIAL_USIF2

-D SERIAL_USIF3

-D FEAT_POW_EBU_MAX_FREQ_195

-D NVM_BOOT_READER

-D NVM_ON_NOR

-D _512MBIT_FLASH

-D NVM_XMM6260

Edited by ben1066
Link to comment
Share on other sites
Guest i am not a hacker

Guest i am not a hacker

Posted
Posted

You know the X900 update what does it do? Do it debrand the phone from orange. How do i do it and will i still be able to make call and texts on orange?

You will be able to do all of the tasks such as texting and browsing, but this ROM is stock android from the Lava Xolo X900. So you can call and text on orange.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

It's damn slow to download from 115.com in the UK. 150KB/s.

yep, I been downloading for at least an hour now, your lucky, I am not getting above 100KB/s, on average I getting 30KB/s :lol:

Link to comment
Share on other sites
Guest

Guest

Posted
Posted (edited)

In fact I thin your stealing my bandwidth, I am down to around 20KB/s average :lol:

Normally I would just give up at that speed, but 92% complete, just got to keep going.

It seems paul is away, that is what I gather from twitter.

Edited by Guest
Link to comment
Share on other sites
Guest rickywyatt

Guest rickywyatt

Posted
Posted

I looked up all of the specs and it looks the same as are's apart from the bigger screen I was thinking as we have now got the xolo 2.3.7 we could try to flash just the boot.bin from the ics and see if it boots if it don't we can flash the xolo 2.3.7 boot.bin

Link to comment
Share on other sites
Guest rickywyatt

Guest rickywyatt

Posted
Posted

Looking at the updater-script fairly sure the IFWI is the whole IFWI.zip



intel.write_IFWI_BIN("Firmware/IFWI.zip", 3);

intel.wipe_partition("/logs");

[/CODE]




As far as I can see the IFWI seems to be the bootloader or something, if we can flash the engineering IFWI we may be able to get around the brick on flash issue. That said the radio has some references to security, so the wall could be there, and we don't have the engineering radio:


[CODE]


---------------------------DESCRIPTION OF DEFINES-----------------------------

------------------NOT WHAT THE CODE IS ACTUALLY COMPILED WITH-----------------


DEFAULT_UNLOCKED                  # Initial state of sec layer is unlocked

FULL_DOWNLOAD_HASH_CHECK          # Perform full hash check after download

EEP_DOWNLOAD_HASH_CHECK           # Also check hash of static eep

SECURITY_EPOCH_CHECK_ON           # Must test security epoch

SEC_ENABLED                       # Enable the security layer

ALLOW_SKIP_VERSION_CHECK          # Allow skip of version check

UPDATE_WITH_SAME_VERSION_ALLOWED  # Allow reprogramming of same version

EBL_SEC_VERSION=1           # Define version (epoch) of the security layer

IFX_KEYS                          # Use Infineon keys

CUST_KEYS                         # Use Customer keys


#platform related defines


XGOLD618                           # Platform

UTA_PLATFORM_XMM6180               # UTA platform

SERIAL_USIF1                       # Only compile with USIF support

BOOTCORE                           #

EBL_RAM                            # Target is EBL

CRYPTO_SGOLD_SW                    # Use software crypto 

CRYPTO_SGOLD_HW                    # Use hardware crypto 

C_DEFINES += CHIP_REV_ES2          # Used to switch between ES1 and ES2 hw



EBL_MAJOR_VER=10         # Ebl major version

EBL_MINOR_VER=0             # Ebl minor version     


-------------------------------------------------------------------------------

-------------------------------------------------------------------------------





-D __HWREG_INLINE__="static __inline" --cpu ARM1176JZ-S --apcs /interwork -c -g --bss_threshold=0 --enum_is_int -O0 --unix_depend_format

-D PSI_ENHANCED_RPSI_PROTOCOL

-D SECURITY_LEVEL_CERTIFICATE

-D SEC_ENABLED

-D EXTRAM_SELFTEST

-D Nymonyx_LPDDR_SDRAM_256

-D RAM_EBU_CLK_195M_ASYNC

-D ROM_Nymonyx_Flash_ADMUX_512

-D ROM_Nymonyx_Flash_AADMUX_512

-D ROM_Spansion_Flash_AADMUX_S29XS256R

-D ROM_Samsung_Flash_ADMUX_512

-D XGOLD626

-D PROJECTNAME=OCEAN

-D BOARD_OCEAN

-D UTA_PLATFORM_XMM6260

-D BOARD_OCEAN_MODEM

-D BOOT_INTERFACE_NOR

-D BOOTCORE

-D ALLOW_SKIP_VERSION_CHECK

-D UPDATE_WITH_SAME_VERSION_ALLOWED

-D EBL_SEC_VERSION=1

-D SEC_PACK_VALIDATION

-D EBL_RAM

-D IFX_KEYS

-D EBL_DEBUG

-D EPOCH=1

-D EBL_MAJOR_VER=20

-D EBL_MINOR_VER=21

-D PROJECT_VERSION_NAME=SUNRISE

-D EBL_RAM

-D INCLUDE_EBU_SETUP_DATA

-D INCLUDE_CFI_SETUP_DATA

-D SEC_ENABLED

-D PCL_EBU_MUX_PRESENT

-D SEC_PACK_VALIDATION

-D SERIAL_MIPI_HSI

-D SERIAL_USIF1

-D SERIAL_USIF2

-D SERIAL_USIF3

-D FEAT_POW_EBU_MAX_FREQ_195

-D NVM_BOOT_READER

-D NVM_ON_NOR

-D _512MBIT_FLASH

-D NVM_XMM6260

what paul was satiny that kboot.bin is the bootloader

Link to comment
Share on other sites
Guest ben1066

Guest ben1066

Posted
Posted

Hm, fair enough then, back to wondering what the hell IFWI is, Intel Firmware W(something) Image? The radio certainly seems to handle some of the security functions though.

Link to comment
Share on other sites
Guest ben1066

Guest ben1066

Posted
Posted (edited)

Hmm, comparing the files from the K800 and the OSD, they are very similar. For example SUNRISE_SMB_REV30_V2_1223.B_signed_MIPI_HSI_USIF_V2.21.fls from the Lenovo and radio.bin appear to be equivalent, and also with the same defines, indicating that at least they should be compatible.

ifwi_firmware_PR33_DV15_DV2.bin appears to be very close to the Lenovo IFWI for the D1 device (indicated by strings). The other two are for the C0 device, I am not sure which the OSD is. The same seems to apply to the DNX files.

The build.prop files also go further to indicate that they are underneath damn near identical. They both have ro.build.product=mfld_pr2. ro.build.description=mfld_pr2-eng 4.0.4 AZ210A_ICS_01.01I eng.svnadmin.20120425.072556 test-keys as in the OSD and ro.build.description=mfld_pr2-user 4.0.4 IMM76D K800_1_S_2_162_0054_120717 release-keys as in the Lenovo are also very similar. Interestingly the Lenovo leak is actually a regular ROM and not an engineering build.

Edited by ben1066
Link to comment
Share on other sites
Guest

Guest

Posted
Posted (edited)

what I worry about is the k800 has a bigger screen so if I flash the boot.bin what will it do to are screen lol

Screen size does not matter if resolution is same, what is resolution of k800?

edit: 720x1280 so yeah different

Edited by Guest
Link to comment
Share on other sites
Guest

Guest

Posted
Posted (edited)

Ok ricky, uploading.......

Ah s***, I have free account, the file is too big, anyone know where I can upload large file free?

Edited by Guest
Link to comment
Share on other sites
Guest ben1066

Guest ben1066

Posted
Posted

Hmm, comparing the files from the K800 and the OSD, they are very similar. For example SUNRISE_SMB_REV30_V2_1223.B_signed_MIPI_HSI_USIF_V2.21.fls from the Lenovo and radio.bin appear to be equivalent, and also with the same defines, indicating that at least they should be compatible.

ifwi_firmware_PR33_DV15_DV2.bin appears to be very close to the Lenovo IFWI for the D1 device (indicated by strings). The other two are for the C0 device, I am not sure which the OSD is. The same seems to apply to the DNX files.

The build.prop files also go further to indicate that they are underneath damn near identical. They both have ro.build.product=mfld_pr2. ro.build.description=mfld_pr2-eng 4.0.4 AZ210A_ICS_01.01I eng.svnadmin.20120425.072556 test-keys as in the OSD and ro.build.description=mfld_pr2-user 4.0.4 IMM76D K800_1_S_2_162_0054_120717 release-keys as in the Lenovo are also very similar. Interestingly the Lenovo leak is actually a regular ROM and not an engineering build.

Reposting because I edited my previous post :)

Link to comment
Share on other sites
Guest rickywyatt

Guest rickywyatt

Posted
Posted

Ok ricky, uploading.......

Ah s***, I have free account, the file is too big, anyone know where I can upload large file free?

split the file in to with winrar
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept