found hudl2 compatible flash tool via fastboot

[Guest opensauce]

http://androidxda.com/flash-stock-rom-using-intel-phone-flash-tool

 

I also have an Idea how to do full backup of existing partitions, possibly compare MD5 of flash and backup.

 

Needs a full backup before I sacrifice my Hudl2.

 

Next android studio has 64 bit baytrail atom images, a look in existing firmware files at drivers would give possibility of custom roms and 64 bit lollipop

[Guest arnookie]

http://androidxda.com/flash-stock-rom-using-intel-phone-flash-tool

 

I also have an Idea how to do full backup of existing partitions, possibly compare MD5 of flash and backup.

 

Needs a full backup before I sacrifice my Hudl2.

 

Next android studio has 64 bit baytrail atom images, a look in existing firmware files at drivers would give possibility of custom roms and 64 bit lollipop

Sounds good keep us updated please. :0)

[Guest benzodiazepines]

Wouldn't you need to bypass Tesco's locked down bootloader though? A look at the Android images is great but really we need to get a custom recovery installed on this thing.

 

It's a shame it's not a more popular device, if the devs at xda gave as much attention to the Hudl as they do to American locked down devices it'd be cracked by now.

[Guest opensauce]

Sounds good keep us updated please. :0)

 

 

Wouldn't you need to bypass Tesco's locked down bootloader though? A look at the Android images is great but really we need to get a custom recovery installed on this thing.

 

It's a shame it's not a more popular device, if the devs at xda gave as much attention to the Hudl as they do to American locked down devices it'd be cracked by now.

 

There is talk of unreachable bios and I believe that from a stripped down bios with nothing on screen it then boots flash mount point.

 

There is lock down of baytrail bios to run only signed code (source Intel)

There are flags so processor will only run signed code.      (source Intel)

 

The dell venue 7 had bootloader unlock on open dell website-these files flash to 50% and fail-not a surprise, but no hard brick

 

uart on production devices is disabled (source intel)

 

Currently I found generic baytrail uefi installer

https://01.org/android-ia/downloads

 

I had hoped the intel uefi installer would boot from sd-card, sadly I haven't managed so far

 

I haven't taken my hudl2 apart, but if anyone can give me bios chip info that would be great.

 

I really wish tescos would release bootloader unlock, or at least run unsigned code from sd card with update ( after the usual YOUR WARRANTY IS VOID)

 

the hardware is comparable to nexus 7 2013 and a far better price point than the current nexus 9 for family use.

 

If anyone has any Ideas /suggestions it would be great to run various operating systems on this

[Guest opensauce]

as a side note has anyone tried hdmi cable and ota cable with keyboard (in case key sequence opens bios in hdmi only)

[Guest abell431]

as a side note has anyone tried hdmi cable and ota cable with keyboard (in case key sequence opens bios in hdmi only)

how would we figure out the key sequence though

[Guest opensauce]

how would we figure out the key sequence though

 Having spent hours and hours reading intel developer documents I have several ideas to share.

the baytrail tablet spec from intel states uefi or traditional bios is oem choice.

 

the unlocking on some tablets is via flashing tool which recognises hudl2 in fast boot mode

Some use otg and duel flash drives to boot and install unlocked bios.

 

My current thinking is to try either flash card with boot flag on or flash drive with boot flag and see if anything shows via hdmi (even an error code would be good)

 

Currenty I don't have OTG cable yet

 

Allegedly there is insyde brand bios in hudl2, bios chip has been mentioned on pentest site-but no model

 

If the device contains insyde bios then there are various bios mod tutorials, possibly the bios could be pulled from chip and compared with unlocked version on same model chip.

 

It is of course possible the bios is stripped out to run only to signed code and mount point-with no GUI.

 

Ideally I'd like to run liniux mint via sd card and leave flash untouched android.

 

All Idea's and suggestions to try and further opening huld2 software up -bit like a rubics cube puzzle

Edited January 7, 2015 by opensauce

[Guest Fastie]

Will play with it tomorrow and weekend, got usb host cable, need to find some kind of BIOS to flash.

Might be able to instal win8.1

[Guest opensauce]

My hudl2 has developed a seriously creaking case and I returned it for a refund, however my partners shocking pink one seems solid.

Mine was slate grey/black.

Also to consider

Uefi/boot/androidai.efi as Asus T100 which bypasses secure boot on T100

If anyone succeeds or makes progress in non destructive manner I can still assist ( as long as I don't kill a pink hudl2)

[Guest BobNugget]

If you want a Hudl BIOS image it's in the Hudl OTA files that were posted in the rooting thread - esp.img is a disk image which contains a UEFI image (BIOSUPDATE.fv). I don't know enough about UEFI to interpret it but I do have basic crypto knowledge and can see from the data that the NVRAM contains Tesco encryption keys, which would suggest to me that it's only going to boot Tesco signed code without a BIOS overwrite. I'm tempted to try running that OTA with a stock Bay Trail image instead of the UEFI image; but I've only got one Hudl 2 at the moment and don't want to brick it :)

Edited January 10, 2015 by BobNugget

[Guest opensauce]

The intel phone flash tool will recognise fast boot mode, the flashing of generic bay trail uefi fails at 50%.

Without disecting a hudl2 bios or uefi can be oem choice.

A broken hudl2 would be good as we could see alleged bios rom chip.

Currently I'm on an xperia z ultra, but will look at suggested image file.

Cheers

[Guest opensauce]

Double post, sorry

Edited January 10, 2015 by opensauce

[Guest opensauce]

http://forum.xda-developers.com/showthread.php?t=1588461 will give tools to unpack Pauls rooted files on linux.

[Guest opensauce]

Interestingly the updates toggle gpio in a config file, i wonder if this enables flash writable?

https://www.dropbox.com/s/6dnvbdv93urwmxd/Insyde_Embedded_Secure_Boot.pdf

Now there is also Board Support Product, if you register with insyde and get access to baytrail support - needs non free email account.

Does any one have bootloader file?

[Guest]

Interested to see where this leads ............

 

:ninja:

[Guest opensauce]

Ideally a broken hudl2 to see bootloader chip model number and possibly find a data sheet.

From firmware update file config file I think the bootloader is write enabled during firmware update via gpio output.

I'm at point where a broken hudl2 to look at hardware would be great if someone can post chip model numbers etc.

Also if we have bootloader chip it may be possible to hot air rework it and read it's contents- if anyone willing.

[Guest welshblob]

Ideally a broken hudl2 to see bootloader chip model number and possibly find a data sheet.

From firmware update file config file I think the bootloader is write enabled during firmware update via gpio output.

I'm at point where a broken hudl2 to look at hardware would be great if someone can post chip model numbers etc.

Also if we have bootloader chip it may be possible to hot air rework it and read it's contents- if anyone willing.

 

There's one with a broken screen on ebay with a starting bid of £19.99 at the moment. Do you have the skills/equipment to remove and read the bootloader chip? 

[Guest opensauce]

Hi I have solder station and have sot23 soldering experience. (built industrial control units in past)

What would really help is knowing model of bios chip mentioned in pentest teardown video.

If we know chip model it may be possible to buy chinese chip flasher or compatible chip.

I'm at the point that I would happily pay cash and return a dead hudl, but not prepared to disassemble £129 device and money down the pan.

Insyde you need a company and insyde recognition of valid developer to get access.

Intel have non disclosure agreement to get further information.

The bootloader unlocked with bios-mods.com as starting point as insyde bios are hackable.

Lastly thinking Fedora paid $99 to Microsoft to allow secure boot key, the T100 transformer tablet will boot fedora from sd card so I read.

Now if the bios has Microsoft keys, it may be worth trying fedora sd boot

I also have rooted rom on sd card to try.

Any other ideas?

[Guest Jabbitt]

I don't really understand a word most of you are saying... But I like where this thread is going. Good luck with all your efforts on this project!

[Guest opensauce]

http://www.insyde.com/press_news/press-releases/insyde%C2%AE-software-chosen-intel%C2%AE-cte-customers-windows%C2%AE-and-android%E2%84%A2-tablets

 

As a leading provider of UEFI BIOS to OEMs and ODMs, Insyde supports all of the key features and technologies required for Windows and Android tablets based on Intel “Bay Trail-T Entry” SoC, including UEFI Secure Boot, Android Secure Boot, FOTA, 2M SPI + eMMC BIOS split solution, and much more. Moreover, by leveraging InsydeH2O’s modular architecture, Intel CTE customers have easily applied customizations to build-in their unique product differentiation.

 

http://ww1.microchip.com/downloads/en/DeviceDoc/S71417_03.pdf table 5 I have seen the gpio toggled in firmware update file extracted from rooted rom paul provided

[Guest opensauce]

fwupdate_script.sh from hudl2

#!/system/bin/sh -e

sfile="/data/fwupdate.flag"
lfile="/data/pshfwupdate.log"
fwfile=$1

echo > $lfile

exec 1>>$lfile
exec 2>>$lfile

set -x
if [ $2 == force ]; then
     needupdate=1

elif [ -f $sfile ]; then
    echo "file" $sfile

    read flag value < $sfile
    echo "flag" $flag
    echo "value" $value

    if [ "$flag" == "update" ]; then
        if [ "$value" == "done" ]; then
            needupdate=0
        else
            needupdate=1
        fi
    else
        needupdate=1
    fi
else
    echo "file not exist"
    needupdate=1
fi

if [ $needupdate -eq 1 ]; then

    echo 0 > /sys/class/gpio/gpio59/value
    echo 1 > /sys/class/gpio/gpio95/value
    echo 0 > /sys/class/gpio/gpio95/value
    echo 1 > /sys/class/gpio/gpio95/value

    sleep 1

    echo "update firmware start"

    /system/bin/fwupdatetool -f $fwfile

    if [ $? -eq 0 ]; then
        echo "update firmware success"
        updatesuccess=1
    else
        echo "update firmware failed"
        updatesuccess=0
    fi

    echo 1 > /sys/class/gpio/gpio59/value
    echo 1 > /sys/class/gpio/gpio95/value
    echo 0 > /sys/class/gpio/gpio95/value
    echo 1 > /sys/class/gpio/gpio95/value

    sleep 1

    if [ -f $sfile ]; then
        rm $sfile
    fi

    if [ $updatesuccess -eq 1 ]; then
        echo "update done" > $sfile
    else
        echo "update failed" > $sfile
    fi

fi

exit 0

[Guest opensauce]

releasekey.x509.pem

 

-----BEGIN CERTIFICATE-----
MIIEGTCCAwGgAwIBAgIJAPmrClfYo2JbMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD
VQQGEwJHQjEWMBQGA1UECAwNSGVydGZvcmRzaGlyZTERMA8GA1UEBwwIQ2hlc2h1
bnQxEjAQBgNVBAoMCVRlc2NvIFBMQzESMBAGA1UECwwJVGVzY28uY29tMRIwEAYD
VQQDDAlUZXNjbyBQTEMxLDAqBgkqhkiG9w0BCQEWHWFuZHJvaWQuaGFyZHdhcmVA
dWsudGVzY28uY29tMB4XDTEzMDgwNTE2MTIxNFoXDTQwMTIyMTE2MTIxNFowgaIx
CzAJBgNVBAYTAkdCMRYwFAYDVQQIDA1IZXJ0Zm9yZHNoaXJlMREwDwYDVQQHDAhD
aGVzaHVudDESMBAGA1UECgwJVGVzY28gUExDMRIwEAYDVQQLDAlUZXNjby5jb20x
EjAQBgNVBAMMCVRlc2NvIFBMQzEsMCoGCSqGSIb3DQEJARYdYW5kcm9pZC5oYXJk
d2FyZUB1ay50ZXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCuY6A8JpT0/c15Xyt6x0IETt1i1x8uoU7TNqhRVgquX+DY2Wlkd7mjXnxZXS8V
/mAG79ShmGXuz7pv0KfRzXnDR3U7aN2yZCXTrBFB9bSAWzoRysSjJSIxyzVCEaUS
iU6joCoAdjzeEsSix5RcdSWkIea41h0THOnYDFKHznVXdZxGNhZsjER6mdBEDBij
2sYc9TpBlHqxrxBBlWmq3URsis2eb2KzIbEJsJhSR9+NFsAysjKXKiGdux2rQO5i
0Jx1yaL9FCecA5c6XOj4zbBwtzdG909HhMiH1gClhtfXj5JCmHy4aqiVTa/rvWUu
veoU1Rft4bgPq7oKoEvYwpDRAgMBAAGjUDBOMB0GA1UdDgQWBBTJwS9q4YtRPbCQ
z23NRoRcRawqPDAfBgNVHSMEGDAWgBTJwS9q4YtRPbCQz23NRoRcRawqPDAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAF/vmkOKlOmI3Hss0JC4yAFvyr
MpHrs3u/BPYQ90Pep+zY8ZiCwqnXpOuX3JHeMuMvdby9lELsCPW0gHUETmFalq2L
TSrjtFZJT0TCjVR7VIC6btKxwHrt7B7hjoVYUOQTmf92S+w0O+mpR0qbg2zR5PgM
IJb2sdpUOQBUz4BHwFgvF0zlDv9lKy5TDJOjPzvJ75A2y89GUgGB63Fyz5H80KiA
jyELL0eg0iBeaT4i2mdVCTj2Pk3Q+trqpHqQM09jET8y5KHLx7cecY9RTkVJUTW3
jvsm05B+GD6l2kwkjXp741GLMbduH0iMBd0IsG07cCN5AO9qLxujDTz1bclY
-----END CERTIFICATE-----

https://www.sslshopper.com/certificate-decoder.html

 

Certificate Information: Common Name: Tesco PLC Organization: Tesco PLC Organization Unit: Tesco.com Locality: Cheshunt State: Hertfordshire Country: GB Valid From: August 5, 2013 Valid To: December 21, 2040 Issuer: Tesco PLC, Tesco PLC Key Size: 2048 bit Serial Number: f9ab0a57d8a3625b

[Guest opensauce]

http://cngadget.info/2014/06/20/windows-8-1-firmware-for-teclast-x98-3g-instructions-english/&usg=ALkJrhi3mutgwHDlFy82ImLXVbP1pzkszw

 

Tried partners pink hudl2 and it refuses to go into fastboot screen :angry: could it be there are several versions of bootloader?
otherwise I would have tried to experiment further.

[Guest opensauce]

http://forum.xda-developers.com/android/general/teclast-x98-air-3g-tablet-9-7-2048x1536-t2913035

Describes device I'm considering buying, process of how the intel flash tool works and I suspect could be used on hudl2 with similar process.

Question is is anyone brave enough to buy hudl2 and return it if it bricks it, or maybe a bricked hudl2 is the ideal candidate?

Edited January 14, 2015 by opensauce

[Guest welshblob]

Someone has bid on that broken hudl 2, is that anyone here?