Jump to content

The San Diego hacking topic - root progress etc.

Guest PaulOBrien

By Guest PaulOBrien
in Orange San Diego Development

 Share

Recommended Posts

Guest PaulOBrien

Guest PaulOBrien

Posted
Posted

Just reading through the (!) 60 pages of topic (i'm up to 35), once i'm caught up i'll interject anywhere I can help and maybe suggest some new things to look at.

rickywyatt has both the very latest ICS leak and the very oldest engineering leak I sourced (the one with the (possibly) Engineering kboot) so hopefully that's helpful.

P

  • Replies 1.7k
  • Created
  • Last Reply

Popular Days

Popular Days

Popular Posts

Guest PaulOBrien
Guest PaulOBrien

OK folks, so here's a round up of my findings on hacking the San Diego so far (with a view to getting root and perhaps ICS). If you have anything to add, please post below! Updated By Ricky Wy

Guest Rem1x
Guest Rem1x

Oh, it'll run ICS impressively. But don't take getting VID/PID as getting close, that's just like reading the back of your orange juice and finding out the oranges were made in Florida :P

Guest glossywhite
Guest glossywhite

Is that ORANGE part supposed to rub our faces in it? haha! :D

Posted Images

Guest PaulOBrien

Guest PaulOBrien

Posted
Posted

Alright! Up to date on this thread! A few thoughts / replies...



07/29/12 22:02:32.153    INFO : Please select a flash file...

07/29/12 22:03:13.701    INFO : Flash file OK (C:/mflash/Leos-flash.xml)

07/29/12 22:03:14.398    0/0/8   #0: New device detected - SN : 324B076AA1D1B3E9

07/29/12 22:03:14.404    0/0/8   #0: IFW flash started - SN : 324B076AA1D1B3E9

07/29/12 22:03:21.108    0/0/8   #0: IFW flash success - SN : 324B076AA1D1B3E9

07/29/12 22:04:04.934    0/0/8   #0: Flashing OS

07/29/12 22:04:04.935    0/0/8   #0: fastboot -s 324B076AA1D1B3E9 oem system /sbin/PartitionDisk.sh /dev/mmcblk0

07/29/12 22:04:15.139    0/0/8   #0: [FAILURE] OS flash failure

07/29/12 22:04:15.140    INFO : Flash failure 0/1 (success/total) (Enumeration failure(s): 0)

[/CODE]






Nobody seems to have talked about this very much, but this looks to me like a way to run scripts from fastboot. I suspect (but can't check without a OSD) that PartitionDisk.sh is either in /sbin in the recovery image or (less likely) the main boot image.



Can we do 'fastboot oem system ls /' and see what the response is? There could be a possibility to do a system mount / copy su binary and chmod this way provided the installed system partition isn't signature checked? DEFINITELY worth investigating.






i got this some thing strange sdcard1 is -1 






[CODE]

#mount point   fstype   device                    device2                   size hint    flags and options...

/reserved      hidden   /dev/block/mmcblk0_none   none                      100

/factory       ext4     /dev/block/mmcblk0p1      none                      256

/system        ext4     /dev/block/mmcblk0p2      none                      767          rw noatime

/reserved      raw      /dev/block/mmcblk0p3      none                      1

/config        ext4     /dev/block/mmcblk0p5      none                      16           ro

/panic         raw      /dev/block/mmcblk0p6      none                      2

/sdcard        vfat     /dev/block/mmcblk0p7      none                      0

/data          ext4     /dev/block/mmcblk0p8      none                      2048          nosuid nodev fsck data=ordered,nodelalloc

/cache         ext4     /dev/block/mmcblk0p9      none                      1024          nosuid nodev fsck data=ordered,nodelalloc

/sdcard1       vfat     /dev/block/mmcblk1p1      /dev/block/mmcblk1        -1

There's not really anything mysterious around /sdcard1... it's just not mounting it. As soon as we have root we can mount the external SD.

Righto, hello guys. I've been speaking to someone who actually develops the firmware for the device, and he can't tell me any more but he has told me that:

1) The IFWI is the modem firmware for the device

2) The K800 and OSD use the same Intel CPU but a different modem so their IFWI is not compatible

3) Their user builds are labelled similarly to the leak we have, however instead of eng.release it's something like supk_user.release.mfld_pr2.BKB4OUK.devr3.i284

4) They do not use the tool to flash engineering firmware

Shame we can't get more out of this source... does he have access to any ICS supk_user.release.mfld_pr2 builds? Are there any user builds with the su binary onboard? If we can get access to a super-early user release maybe we can use an old exploit.

If you ask me the xolo 2.3.7 rom don't even give you access to data/local/tmp with the orange rom I had access to /data/local/tmp and /data/fota

I've seen this on a number of new ROMs from manufacturers, it's like a recommendation for tightening up tmp has come from Google / AOSP.

Ics was ready on 1st may ....they are spending months in patching

I have access to ~5 build servers for the device and new test / engineering ROMs drop several times a week!

P

Guest Konstipated Kiwi

Guest Konstipated Kiwi

Posted
Posted

Just a heads up, Orange has reduced the San Diego to £179.99 + £10 top up...

Also, you can get £45 cashback via Quidco on Orange PAYG phones over £140 (although the offer expires in two days).

Guest rickywyatt

Guest rickywyatt

Posted
Posted

I can flash the Engineering ifwi and Engineering dnx but still lost when it came to the Engineering bootloader

I found out there are 2 different Intel phones

pr2 and pr3

Intel must have are flasher as it seems the Chinese have a different fastboot to ares

I can also flash the Chinese ifwi and dnx witch I think is security software

Guest rickywyatt

Guest rickywyatt

Posted
Posted

Fastboot oem system ls /

FAILED remote : unknown reason

also if i add this fastboot -s 324B076AA1D1B3E9 oem system ls /

waiting for device

Guest rickywyatt

Guest rickywyatt

Posted
Posted

in the chinese flasher there is new fastboot so you dont have to enter fastboot -i 0x8087 every time

Guest PaulOBrien

Guest PaulOBrien

Posted
Posted

Fastboot oem system ls /

FAILED remote : unknown reason

also if i add this fastboot -s 324B076AA1D1B3E9 oem system ls /

waiting for device

In 'Leos-flash.xml' there's no fastboot commands right?

In 'fastboot devices' does the serial number match?

P

Guest rickywyatt

Guest rickywyatt

Posted
Posted

In 'Leos-flash.xml' there's no fastboot commands right?

In 'fastboot devices' does the serial number match?

P

'Leos-flash.xml dont say anything about fastboot

C:\adb\flasher>fastboot devices

C:\adb\

Guest kabirsaini2011

Guest kabirsaini2011

Posted
Posted

Paul u seen the bootloader patch ???

Guest PaulOBrien

Guest PaulOBrien

Posted
Posted

That's not even seeing your device then! :/

P

Guest rickywyatt

Guest rickywyatt

Posted
Posted

one min

C:\adb>fastboot devices

0123456789ABCDEF fastboot

Guest rickywyatt

Guest rickywyatt

Posted
Posted

C:\adb>fastboot -s 0123456789ABCDEF oem system ls /

...

FAILED (remote: unknown reason)

finished. total time: -0.000s

Guest PaulOBrien

Guest PaulOBrien

Posted
Posted

C:\adb>fastboot -s 0123456789ABCDEF oem system ls /

...

FAILED (remote: unknown reason)

finished. total time: -0.000s

Hah, nice serial number. :P

OK, so the 'oem system' command either doesn't work, or doesn't work unless the device is in a 'special fastboot mode'... Does fastboot see the device when in 'medfield driver' mode?

P

Guest rickywyatt

Guest rickywyatt

Posted
Posted

with medfield i get

C:\adb>fastboot -s 0123456789ABCDEF oem system

< waiting for device >

Guest rickywyatt

Guest rickywyatt

Posted
Posted

dose this mean anything to you paul found it in /d/osip/decode and in the setup.sh you gave me



EADER:

sig			  = 0x24534f24

header_size	  = 0x68

header_rev_minor = 0x0

header_rev_major = 0x1

header_checksum  = 0x74

num_pointers	 = 0x3

num_images	   = 0x1

image0

os_rev			  =  0x0

os_rev			  = 0x0

logical_start_block = 0x9c41

ddr_load_address	= 0x1100000

entry_point		 = 0x1101000

size_of_os_image	= 0x3163

attribute		   = 0x00

reserved			= 000000

image1

os_rev			  =  0x0

os_rev			  = 0x0

logical_start_block = 0x1000

ddr_load_address	= 0x1100000

entry_point		 = 0x1101000

size_of_os_image	= 0x5001

attribute		   = 0x10

reserved			= 000000

image2

os_rev			  =  0x0

os_rev			  = 0x2

logical_start_block = 0x1

ddr_load_address	= 0x0

entry_point		 = 0x0

size_of_os_image	= 0xda

attribute		   = 0x04

reserved			= 000000

[/CODE]
Guest rickywyatt

Guest rickywyatt

Posted
Posted

this is what the Leos-flash.xml looks like 



<?xml version="1.0" ?><flashfile>    <id>K800_1_S_2_162_0054_120717</id> <comments>Racer-A windows download</comments> <platform>PVT1</platform> <code_groups>  <code_group name="FIRMWARE">		    <file TYPE="IFWI">    <name>IFWI_WW16_LE_PVT_ICS.bin</name>    <version>IFWI_VERSION</version>    <checksum></checksum>   </file>		    <file TYPE="FW_DNX">    <name>CLAK3signed_D1_FwDnX_FD.03.bin</name>    <version>FW_DNX_VERSION</version>    <checksum></checksum>   </file>   <file TYPE="OS_DNX">    <name>CLAK3signed_PNWD1OSDnX_OD.02.bin</name>    <version>OS_DNX_VERSION</version>    <checksum></checksum>   </file>	    </code_group>	    <code_group name="BOOTLOADER">   <file TYPE="KBOOT">    <name>kboot.bin</name>    <version>KBOOT_VERSION</version>    <offset></offset>    <fixed_size></fixed_size>    <checksum></checksum>   </file>  </code_group>	    <code_group name="KERNEL">   <file TYPE="KERNEL">    <name>boot.bin</name>    <cmdline></cmdline>    <version>KERNEL_VERSION</version>    <offset></offset>    <fixed_size></fixed_size>    <checksum></checksum>   </file>	    </code_group>	    <code_group name="SYSTEM">   <file TYPE="SYSTEM">    <name>system.tar.gz</name>    <version>SYSTEM_VERSION</version>    <offset></offset>    <fixed_size></fixed_size>    <checksum></checksum>   </file>  </code_group>	    <code_group name="MODEM">   <file TYPE="MODEM">    <name>SUNRISE_SMB_REV30_V2_1223.B_signed_MIPI_HSI_USIF_V2.21.fls</name>    <version>MODEM_VERSION</version>    <checksum></checksum>    <model>MODEM_MODEL</model>    <revision>MODEM_REVISION</revision>    <cmdline>MODEM_CMD_LINE</cmdline>   </file>	    </code_group> </code_groups>  <code_group name="USERDATAT"> <file TYPE="USERDATA">  <name>userdata.tar.gz</name>  <version>0</version>  <checksum></checksum>   <model></model>   <revision></revision>   <cmdline></cmdline>  </file>  </code_group></flashfile>

[/CODE]
Guest PaulOBrien

Guest PaulOBrien

Posted
Posted

Nothing useful there really.

Can you check 'fastboot devices' when in medfield mode? The flasher is clearly doing stuff by fastboot, so it must be accessible somehow and looks promising.

If you look at that shell script, kboot is being updated by 'update_osip --update 1 --image', the boot image by 'update_osip --update 0 --image'. I assume this runs on device and doesn't run without root though.

P

Guest rickywyatt

Guest rickywyatt

Posted
Posted

I booted into medfield mode

C://adb/ fastboot devices

C://adb

Guest ben1066

Guest ben1066

Posted
Posted (edited)

Sorry, regarding the previous source. They are working for a company called "borqs" that appear to develop the ROM for this device. I'm fairly sure he has said builds though he would like to keep his job.

Edited by ben1066
Guest domenico lamberti

Guest domenico lamberti

Posted
Posted

i have no idea what is going on in this thread anymore (way too complicated for my simple mind to understand) but i keep hitting F5 every few minutes, i dont even own an SD lol, thats how interested i am

Guest punjabi

Guest punjabi

Posted
Posted

i have no idea what is going on in this thread anymore (way too complicated for my simple mind to understand) but i keep hitting F5 every few minutes, i dont even own an SD lol, thats how interested i am

You're not alone! Haha.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept