Jump to content

The San Diego hacking topic - root progress etc.

Guest PaulOBrien

By Guest PaulOBrien
in Orange San Diego Development

 Share

Recommended Posts

Guest shootomanUK

Guest shootomanUK

Posted
Posted (edited)

People say in this thread that paul has an engineering bootloader, but i cant find in this forum a link with him actually saying he has one ?

could someone point me in the right direction please.......

Thanks

^_^

Edited by shootomanUK
Link to comment
Share on other sites
  • Replies 1.7k
  • Created
  • Last Reply

Popular Days

Popular Days

Popular Posts

Guest PaulOBrien
Guest PaulOBrien

OK folks, so here's a round up of my findings on hacking the San Diego so far (with a view to getting root and perhaps ICS). If you have anything to add, please post below! Updated By Ricky Wy

Guest Rem1x
Guest Rem1x

Oh, it'll run ICS impressively. But don't take getting VID/PID as getting close, that's just like reading the back of your orange juice and finding out the oranges were made in Florida :P

Guest glossywhite
Guest glossywhite

Is that ORANGE part supposed to rub our faces in it? haha! :D

Posted Images

Guest

Guest

Posted
Posted (edited)

Been doing a little searching and apparently a zip file can be altered and retaining the checksum? Not found how to do it yet, but it seems there are ways.lol. Just thinking if we can put su binary in update and retain all the checksums, md5, SHA-1 or whatever ones are used, we would be able to flash the update with su.

Anyone heard of any method of retaining/restoring checksums?

edit: after further investigation, it seems you can crack a md5 hash for things I am not going to talk about for obvious reasons, let's just say more criminal side of things. But as for editing an archive while retaining/restoring the original md5 sum, well I hit a brick wall there.

Edited by Guest
Link to comment
Share on other sites
Guest brit07

Guest brit07

Posted
Posted

there must be a way to find what the key is from looking in the update.zip from xolo ? surly it has to be there? and dont all android roms sign in a similar fashion?

Link to comment
Share on other sites
Guest

Guest

Posted
Posted (edited)

Is a checksum based on the bytes of files in an achive ?

If the answer is yes, lets say I could find exactly 0.93mb to remove from the archive, the exact size of su binary, would that not = same checksum?

Also, is it a checksum as in md5 or is this signature some sort of hash password?

It seems the only logical way we can root this device is if we can crack/fool the signature, surely not an impossible task ? greater things have been cracked.

This looks interesting: http://forum.xda-dev...ad.php?t=961648

cert extracted from mmcblk0p10.img?

Edited by Guest
Link to comment
Share on other sites
Guest rickywyatt

Guest rickywyatt

Posted
Posted

even if you change 1 bite it will break so wont install if you look at CERT.SF you'll see

Signature-Version: 1.0

Created-By: 1.0 (Android SignApk)

SHA1-Digest-Manifest: +4g7oZXBmfypibfV7SB1y/HdZ40=

Name: system/lib/libOMXVideoEncoderMPEG4.so

SHA1-Digest: 1vqkXc8P0tpUPNDRnUji0wv3Qjg=

Name: system/lib/libassd.so

SHA1-Digest: rlSMzBEaovyIlhR2mQ82MegPmAI=

Name: system/bin/netd

SHA1-Digest: FIS0Suy0R5XpyTHjeYJyszkIR+w=

Name: system/etc/permissions/android.hardware.sensor.accelerometer.xml

SHA1-Digest: 2wEa/9FPcNbDmbsyKNJp5TwVgOE=

Link to comment
Share on other sites
Guest

Guest

Posted
Posted (edited)

I get the impression paul is back tuesday, hopefully with your current progress he can throw in a few tips that may lead to new things :)

He says back tuesday to seb404, so I can only assume he means back to uk/modaco.

Edited by Guest
Link to comment
Share on other sites
Guest shootomanUK

Guest shootomanUK

Posted
Posted (edited)

even if you change 1 bite it will break so wont install if you look at CERT.SF you'll see

Signature-Version: 1.0

Created-By: 1.0 (Android SignApk)

SHA1-Digest-Manifest: +4g7oZXBmfypibfV7SB1y/HdZ40=

Name: system/lib/libOMXVideoEncoderMPEG4.so

SHA1-Digest: 1vqkXc8P0tpUPNDRnUji0wv3Qjg=

Name: system/lib/libassd.so

SHA1-Digest: rlSMzBEaovyIlhR2mQ82MegPmAI=

Name: system/bin/netd

SHA1-Digest: FIS0Suy0R5XpyTHjeYJyszkIR+w=

Name: system/etc/permissions/android.hardware.sensor.accelerometer.xml

SHA1-Digest: 2wEa/9FPcNbDmbsyKNJp5TwVgOE=

Ricky can i ask where you found the CERT.SF file ?

cheers

its ok i found it lol

but where is the osd ics leak ?

cheers

Edited by shootomanUK
Link to comment
Share on other sites
Guest The Soup Thief

Guest The Soup Thief

Posted
Posted

we need someone at intel orange or xolo to release there key and password then we would be able to install what we like

Attention all disgruntled Intel, Orange and Lava employees - become Modaco legends in one easy leak...

reckon that should do it... [waits] ;)

Link to comment
Share on other sites
Guest rickywyatt

Guest rickywyatt

Posted
Posted

Ricky can i ask where you found the CERT.SF file ?

cheers

its ok i found it lol

but where is the osd ics leak ?

cheers

right here but don't flash the recovery.bin from it

Link to comment
Share on other sites
Guest rickywyatt

Guest rickywyatt

Posted
Posted

Is a checksum based on the bytes of files in an achive ?

If the answer is yes, lets say I could find exactly 0.93mb to remove from the archive, the exact size of su binary, would that not = same checksum?

Also, is it a checksum as in md5 or is this signature some sort of hash password?

It seems the only logical way we can root this device is if we can crack/fool the signature, surely not an impossible task ? greater things have been cracked.

This looks interesting: http://forum.xda-dev...ad.php?t=961648

cert extracted from mmcblk0p10.img?

no good to us as we cant dump any of the dev/block/ without root

Link to comment
Share on other sites
Guest rickywyatt

Guest rickywyatt

Posted
Posted

I'm sure I've had access to data/local before so I could delete tmp if we could we could try this

adb shell mv /data/local/tmp /data/local/tmp.bak

adb shell ln -s /dev/block/mmcblk0p8 /data/local/tmp

adb reboot

adb shell echo ro.kernel.qemu=1 > /data/local.prop

Link to comment
Share on other sites
Guest shootomanUK

Guest shootomanUK

Posted
Posted

I'm sure I've had access to data/local before so I could delete tmp if we could we could try this

adb shell mv /data/local/tmp /data/local/tmp.bak

adb shell ln -s /dev/block/mmcblk0p8 /data/local/tmp

adb reboot

adb shell echo ro.kernel.qemu=1 > /data/local.prop

i just get permission denied :huh:

Link to comment
Share on other sites
Guest shootomanUK

Guest shootomanUK

Posted
Posted

i think we need to wait for ICS now and have a bash at that, it seems them chinese rooted ICS but not GB so i think we might have a chance

Link to comment
Share on other sites
Guest

Guest

Posted
Posted (edited)

I'm sure I've had access to data/local before so I could delete tmp if we could we could try this

adb shell mv /data/local/tmp /data/local/tmp.bak

adb shell ln -s /dev/block/mmcblk0p8 /data/local/tmp

adb reboot

adb shell echo ro.kernel.qemu=1 > /data/local.prop

Even without using adb it is clear there is no access to data, just download xplore from market, it allows access to all system even without root. And I can access all folders with xplore except one, yep you guessed it, data folder lol

Also, when you say they need to give us there KEY and password, do you mean testkey ? The reason I ask is in system/etc/security/otacerts.zip is a file called testkey.x509.pem with a rather large amount of text which looks like a password?

It is possible there are answers in the system we have on our devices. They overlooked the fact that apps like xplore can access all root directories and even view inside zips in those directories or read text without root.lol

Edited by Guest
Link to comment
Share on other sites
Guest scuzzbucket

Guest scuzzbucket

Posted
Posted (edited)

Is their a small chance that the method used for 2011 Xperia devices on ICS might be useful at all. The "android emulator trick" was used. Not sure exactly what that is, and someones probably tried it, but might be another angle?

Edited by scuzzbucket
Link to comment
Share on other sites
Guest rickywyatt

Guest rickywyatt

Posted
Posted

No I mean there release keys with is stored in res/keys in the kernel so no way to get hold of them lol I use root explorer without the root lol I can set the home page to

/data/fota

/data/system

/data/local/tmp

And see all that's inside them folders with the orange rom I could remove ipth-muc.prop from data/fota but not with the xolo

So by the looks of it xolo saw a hole there and blocked it

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept