I have successfully used reverse USB tethering on a flipout. This method should be portable to other devices running the motorola android multi-device driver with usb0.
If you are comparing to any windows drivers, say that installed from the driver installer MSI when connecting a flipout and maybe other devices in 'portal' mode, the (windows) driver will be motousbnet. On linux, the driver is cdc_subset. However, this driver does not know how to bind to the motorola
1. Figure out the usb vendor id, product id, and interface class, interface subclass, and interface protocol of the networking interface. On the flipout, this is named the 'motorola networking interface'. On my device, it has these ids: 0x22b8, 0x41da, 0x02, 0x0a, 0x01. You can find these ids via exploring /sys/bus/usb on a linux system, or with the lsusb utility.
2. patch your cdc_subset driver to support the USB id and interface of the above device. You will need to inspect via lsusb or sysfs to setup a 'product' and 'driver info' structure in cdc_subset.c to select the correct interface and endpoints. The pertinent parts of my cdc_subset.c are as follows:
Code:
add to products
{
// Moto flipout usb
USB_DEVICE_AND_INTERFACE_INFO (0x22b8, 0x41da, 0x02, 0x0a, 0x01),
.driver_info = (unsigned long) &motousb_info,
},
add near other driver_infos:
static const struct driver_info motousb_info = {
.description = "Motorola USB endpoint",
.check_connect = always_connected,
.in=0x84, .out=0x03,
};
3. Doing such a mod and compiling yourself a new cdc_subset.ko, and installing that, will yield a usb driver that can talk to usb0 on your flipout. At this point, you just have to configure networking. I setup proxyarp on my LAN and usb0 interfaces, and set up some manual addresses and routes. Other options could be to add usb0 to a bridge, or do routing and DHCP, or routing + nat + DHCP. You'll probably need to netcfg rmnet0 down and setprop net.dns1 and net.rmnet0.dns1 your ips manually. Make sure you save your old dns. I'm not sure if that gets restored from carrier when you turn rmnet back on.
4. after all that, you should be online.
5. EDIT: all compiling and module installation steps noted above happen on the host PC, if that wasn't clear.
Work to follow:
use SL4A to automate usb0 bringup
interface with APNDroid to soft-down the 3g instead of nuking it the hard way. killing the radio process will get you back online, but thats effectively the same as resetting the baseband, so you'll need to re-unlock your SIM etc.
Thanks man! This is awesome. It worked on my Motorola Defy (same parameters) under Ubunutu.
Hi,
I thing this is what i am looking for, enable a motorola device (defy) to be a usb0 device with ubuntu so you can have an IP, and ssh easly with your droid (using vlc remote with usb cable). I realy appreciate this native feature with my old htc.
where is the cdc_subset.c ?
tkx
balek said:
Hi,
I thing this is what i am looking for, enable a motorola device (defy) to be a usb0 device with ubuntu so you can have an IP, and ssh easly with your droid (using vlc remote with usb cable). I realy appreciate this native feature with my old htc.
where is the cdc_subset.c ?
tkx
Click to expand...
Click to collapse
It's in the kernel source. -- You'll have to download the linux or kernel source package that matches the kernel you run on your ubuntu machine, modify your cdc_subset driver, rebuild it, and install it.
Learning things like the kernel build system and how to install a kernel module are exercises for the reader.
Good job! I'll try it once i get my Ubuntu installation up and running again ^_^
Defy and Debian USB network works partially...
Hello. The idea was good...
My config is:
- on one side: a Defy (CM7 1.0-RC1 Nightly build 2037, Gingerbread 2.3.4)
- on the other side: a Linux Debian (Squeeze , kernel 3.0.0-1-686-pae)
I patched the cdc_subset driver as proposed. I saw a little difference on the endpoints: lsusb -v reports 0x83 for 'in' endpoint and 0x2 (bulk) or 0x3 (interrupt) for 'out' endpoint. I tried all combinations and only 0x83/0x2 give a working ping between hosts. => Are the initial endpoints working (0x84/0x3) ?
See attached file for the complete listing, search 'SDX' to see where I patched.
When I plug the USB cable, the usb0 interface is brought up on linux automatically and that's perfect.
With a simple network configuration, ping works on both hosts.
.
So everything seems right.
I then tried to transfer a huge 100MB file to see the performance:
- scp from linux to defy => OK, ~5MB/s
- scp from defy to linux => FAILURE after a few MB transfered
In the second test, the connection is completely frozen and I see errors on both interfaces (ifconfig usb0, error packets). I repeated the test multiple times with alternate network configs, without wifi etc., and I could never transfer the file completely.
Can someone confirm me:
- that the transfer is working for him in both ways with huge files
- what is reported by "lsusb -v -d 22b8:41da" to see if my endpoints for a Defy are correct
I'm not sure, but maybe cdc_subset is not the right driver to patch ?
Or simply it's a bug in scp or sshd on Defy ! I should try with something else like ftp or http...
I keep working on this topic...Thx for any clue !
sdxmob said:
Hello. The idea was good...
My config is:
- on one side: a Defy (CM7 1.0-RC1 Nightly build 2037, Gingerbread 2.3.4)
- on the other side: a Linux Debian (Squeeze , kernel 3.0.0-1-686-pae)
I patched the cdc_subset driver as proposed. I saw a little difference on the endpoints: lsusb -v reports 0x83 for 'in' endpoint and 0x2 (bulk) or 0x3 (interrupt) for 'out' endpoint. I tried all combinations and only 0x83/0x2 give a working ping between hosts. => Are the initial endpoints working (0x84/0x3) ?
See attached file for the complete listing, search 'SDX' to see where I patched.
When I plug the USB cable, the usb0 interface is brought up on linux automatically and that's perfect.
With a simple network configuration, ping works on both hosts.
.
So everything seems right.
I then tried to transfer a huge 100MB file to see the performance:
- scp from linux to defy => OK, ~5MB/s
- scp from defy to linux => FAILURE after a few MB transfered
In the second test, the connection is completely frozen and I see errors on both interfaces (ifconfig usb0, error packets). I repeated the test multiple times with alternate network configs, without wifi etc., and I could never transfer the file completely.
Can someone confirm me:
- that the transfer is working for him in both ways with huge files
- what is reported by "lsusb -v -d 22b8:41da" to see if my endpoints for a Defy are correct
I'm not sure, but maybe cdc_subset is not the right driver to patch ?
Or simply it's a bug in scp or sshd on Defy ! I should try with something else like ftp or http...
I keep working on this topic...Thx for any clue !
Click to expand...
Click to collapse
Any news with defy ?
HI,
I am trying to interface the UVC Camera to the Samsung Galaxy Tab 10.1(GT-7510) , but I am not able to see the device node getting created in the shell( I have installed the Linux terminal Shell Application) and rooted the device using this Video .Can somebody plz tell/advice how I can achieve it and access the device Node or at-least get it created.
Following is the log on dmesg :
usb 1-1 new high speed USB device using tegra-ehci and address 97
hub 1-0:1.0 unable to enumerate USB device on port 1 ,
usb 1-1:device v0ac8 p3420 is not supported
On My Laptop I get this output on Dmesg :
[12307.364237] uvcvideo: Found UVC 1.00 device Venus USB2.0 Camera (0ac8:3420)
[12307.366108] input: Venus USB2.0 Camera as /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1/2-1.1:1.0/input/input14
[12308.537059] usbcore: registered new interface driver snd-usb-audio
also i can see the camera getting blinked on connection which proves that it is getting the power-supply and getting connected with the system.
I think there is a support for UVC USB devices in the kernel (not sure) otherwise I am ready with the Kernel For Samsung Tab 10.1 (GT-7500 (Higher Version: GT-7510)) from here .(GT-P7500_MEA_Opensource.zip (requires Login).
Plz assist.
Rgds,
Softy
You seem to know a bit about what you're doing. I'm not really familiar with this device. I did a search and did not find anyone who has don't this yet. The first priority is to get a Linux device in /dev/ folder. This is generally handled by a device driver and a udev rule. Try the newer kernel if you can. The android 4.0 ics has a Linux 3.x kernel. See if switching to ics helps. Try compiling a custom kernel with all modules. Once you have a device, try using SSH or sftp from your desktop under Linux to stream from that device with vlc or another media player.
Do you have any examples of this device in use on mobile Linux? It may require writing an entire kernel driver.
HI,
Yes that is the same line of thinking for us as well.We are trying to compile the kernel and load it .- Ongoing
I believe only the zImage is the one which is to be flashed.But I am little scared to do this.Couldn't find the instructions to loading the Zimage even though I can compile one.
Rgds,
Saurabh
softy007 said:
HI,
Yes that is the same line of thinking for us as well.We are trying to compile the kernel and load it .- Ongoing
I believe only the zImage is the one which is to be flashed.But I am little scared to do this.Couldn't find the instructions to loading the Zimage even though I can compile one.
Rgds,
Saurabh
Click to expand...
Click to collapse
Flash it with Heimdall, even if it won't work you will be still able to get into download mode of bootloader (which you aren't supposed to flash) and reflash the kernel with stock one.
This thread is for the research, development and discussion of open source tools (initially Linux) to communicate with and utilize the various proprietary interfaces available on Qualcomm devices.
Initial development is centered around the MSM8660 and MSM8960 devices, but should be applicable to nearly any Qualcomm device which includes a modem and USB port. Older devices with a Serial port may also work. Components to be supported: DMSS Download Protocol (QDL mode), Streaming Download Protocol (EHostDL), and parts of other HDLC structured Qualcomm protocols.
An expanded description, examples, references, and test programs to follow shortly.
Goals
To provide a partial Open Source (Linux) replacement for QPST and QXDM
To enable the full recovery of various Android devices based on supported Qualcomm SoC's
To gain a better understanding of the underlying hardware in Qualcomm based Android devices
Change Log:
2013-01-06
Initial creation to consolidate OT discussions from other threads.
2013-01-07
Expanded description
Added external thread and web links
Added #QDL_Dev on IRC Freenode for open discussion
2013-01-28
Updated a few posts to correct prior mistakes.
Internal Thread Links
coming soon...
External Thread Links
[REF][R&D] MSM8960 Info, Architecture and Bootloader(s) http://forum.xda-developers.com/showthread.php?t=1856327
Lots of important information and Qualcomm PDF's. Should be considered required reading. By E:V:A
[REF][R&D] Building Bootloaders on Qualcomm Devices http://forum.xda-developers.com/showthread.php?t=1978703
By E:V:A
[DEV][REF] El Grande Partition Table Reference http://forum.xda-developers.com/showthread.php?t=1959445
The definitive resource for device partition information. By E:V:A
No JTAG [SOLVED][JTAG,BRICK]SHV-E160L Korean model http://forum.xda-developers.com/showthread.php?t=1914359
R&D for unbricking/fully recovering a SHV-E160L and various helpful utilities. By Darkspr1te
External Web Links
Code Aurora Forum https://www.codeaurora.org/
Home to various Open Source projects related to Qualcomm technologies.
Gobi https://www.codeaurora.org/contribute/projects/gobi/
A Code Aurora Forum project fueled by Qualcomm which serves as a reference for these protocol implementations.
AnyClub Blog http://www.anyclub.org/
A blog with limited yet specific information regarding Qualcomm MSM, MDM, QRD and related products. Can get technical at times and references closed source and proprietary files/programs.
Join us for live discussion in #QDL_DEV on IRC Freenode
Credits/Thanks:
E:V:A for various reference threads which both sparked my interest and fueled my initial research.
Darkspr1te for his involvement with initial and ongoing development.
Ralekdev for providing additional insight in to msm8960 PBL
.
Yarrimapirate for creation of JET (Jewel Evita Toolkit) which served as my first hands-on with QDL and led me down the path to here.
Fuses for his emmc_recover program, which gave me my first glimpse of using HDLC to communicate with a Qualcomm based phone. Also for his typically brief and discouraging posts, which in turn drives my desire to prove him wrong
Captain_Throwback for providing firmware zips, testing, and more bricked phones then anyone else I've met.
others whom I'll add as I think of them.
Knowledge Base
Definitions:
PBL = Primary Boot Loader
SBL = Secondary Boot Loader
RPM = Resource and Power Management
TZ = Trust Zone
HDLC = High-level Data Link Control
MSM = Mobile Station Modem
DMSS = Dual-Mode Subscriber Station
QDL = Qualcomm Download
QHSUSB_DLOAD = Qualcomm High Speed USB Download
EhostDL = Emergency Host Download
DCN = Document Control Number, used by Qualcomm to track their thousands of documents
Qualcomm has built in to their firmware multiple methods of communication with outside "hosts" (a computer connected to the phone). Each method serves a particular function. AT commands are used to communicate with the modem while it is "online" and their multiple diagnostic protocols communicate with the modem in "offline" mode. These diagnostic protocols use HDLC (both synchronous and asynchronous) for the framing. It is a low overhead frame/packet transport which includes a 16 bit CRC for error checking, originally used over serial connections to the phone. Today these protocols are still being used over USB. Under Linux a usb-serial connection can be established by the qcserial kernel module via a /dev/ttyUSB (ex: /dev/ttyUSB0, /dev/ttyUSB1)
HDLC: A brief overview.
The basic HDLC structure is:
Each field is a multiple of 8-bits (1 byte).
HDLC uses 0x7e for the header and flag. For AsyncHDLC the header is optional, but Qualcomm always uses it. Also, the flag of one HDLC frame is allowed to be used as the header of the next frame. It also uses 0x7d as an escape for occurrences of 0x7e and 0x7d. All escaping is done after calculating the CRC and is applied to both the packet and CRC.
The packet is further broken down in to:
The packet header consists of:
The command is a 1 byte (0x00) code that determines the layout of the packet.
The parameters vary by command and specify different command specific options and the size of any data being transferred.
The CRC is generated using the standard CRC-CCITT-16 generator polynomial of: f(x)=x^16+x^12+x^5+1
Google it for more info.
Examples:
NO-OP: 7e 06 4e 95 7e
ACK: 7e 02 6a d3 7e
Software Version Request: 7e 0c 14 3a 7e
Software Version Response: 7e 0d 0f 50 42 4c 5f 44 6c 6f 61 64 56 45 52 31 2e 30 37 41 7e
Full Documentation:
DMSS Download Protocol: DCN 80-39912-1 Revision E
Describes in detail the commands used with QHSUSB_DLOAD (both SBL and PBL)
Streaming Download Protocol: DCN 80-V5348-1 Revision J
Describes in detail the commands used with the Flash Programmer (MPRGxxxx.hex)
CDMA DMSS Serial Data: DCN 80-V1294-1 Revision YP
Describes in detail the basic commands used with the modem Diagnostic mode. This protocol supports a MASSIVE amount of extentions covered in numerous other specialized documents. There is no current plan to implement these extensions.
...more to follow...
SPECIAL NOTE ABOUT THE NEXT POST:
If you attempt to use the msimage.mbn,YOU MUST CREATE IT USING THE SAME VERSION (or newer) FIRMWARE ALREADY ON YOUR PHONE. I'm not 100% sure if this applies to older models, but at least with msm8960 and newer.
Why?
Because, in addition to checking the signature of the image, the PBL also checks the firmware version against an efuse value for rollback prevention. If the OEM enables this feature then an older firmware will cause an error and will jump back to the last successfully loaded version of QDL mode. (ie: pbl, sbl1, etc...) This behavior has been the cause of many bricks for HTC Evo 4g LTE (jewel) owners who try to downgrade their firmware via ruu or recovery (sorry captn).
The firmware images involved are:
sbl1, sbl2, sbl3, tz and rpm.
DMSS And Streaming Protocol Tool
UPDATE: Code updated as of 17-01-2013, post will update to follow new code soon - Darkspr1te
First POC, Thats Proof of concept , not piece of c**p.
The concept behind this came from Soul Shadow, who like me feel that in a world without walls and fences who need windows and gates.
The original script was pulled from some git/website i dont remember belonging to a person i only know as scotty (please step forward )
JCSullins over from rootzwiki went running with the script to give us this working concept.
What is it?
This script fire's HDLC encoded frames at the serial port, namely qcserial for a Qualcomm HS_USB QDLOAD device 05c6:9008
within these frames are commands for various functions with great names like Hello, and Open MI.
Here is a example frame
Code:
0x7e 0x0a 0x63 0x74 0x7e
0x7e start of frame
0x0a command (this one is with out data)
0x63 crc low bit
0x74 crc high bit
0x7e close of frame
HDLC is all well document around the net so i wont go over it too much just yet. the important part is knowing the commands, what they do and what the payload, if any is and how that's formatted.
Why Do We need it?
The QDLOAD and EDLOAD protocols allow further control over your device, possible debrick solutions too, thats why we are developing it, some have mentioned other possible benifits but to reduce the google crew sending eveyone here looking for off-s solution and this thread going off topic we are avoiding that.Please can you also avoid topics of that nature.
What About Windows
You already have QPST and QXDM, us poor linux users dont. I am sure cygwin can help you there, some code changes may be required.
Enough Already, Gimme
https://github.com/jcsullins/qdloader
How Do I use it?
First you need to get the hex file for your device, if it's a msm8660 then your need mrpg8660.hex, they are found elsewhere, links will be posted later but for now use the search
then you need to run hex2bin on the hex file to have mrpgXXXX.bin which you rename hex.bin
then you need your emmc payload, this normally would be xxxx_msimage.mbn which you rename hex2.bin
then perl qdload.pl while you device is plugged in, there will be some debug output showing first and second stage uploads.
It's Didnt work,my device is still bricked, Answer my PM dammit!!
As I mentioned , this is a proof of concept file for study and not really ment to be a oneclick solution. Feed back is most welcome but dont mail the developers with questions for debricking the device, this is a tool to study and develop.
I REPEAT, stay away from this tool if you are not already familiar with qualcomm boot procedures, emmc system and the like.
EDIT: We have Found the original author of the script which we based the above on.
Scotty Walker
https://github.com/tmzt/g2root-kmod/tree/master/scotty2/pbl
Credits to The Man for making his work public.
deleted
SouL Shadow said:
SPECIAL NOTE ABOUT THE NEXT POST:
If you attempt to use the msimage.mbn,YOU MUST CREATE IT USING THE SAME VERSION (or newer) FIRMWARE ALREADY ON YOUR PHONE. I'm not 100% sure if this applies to older models, but at least with msm8960 and newer.
Why?
Because, in addition to checking the signature of the image, the PBL also checks the firmware version against an efuse value for rollback prevention. If the OEM enables this feature then an older firmware will cause an error and will jump back to the last successfully loaded version of QDL mode. (ie: pbl, sbl1, etc...) This behavior has been the cause of many bricks for HTC Evo 4g LTE (jewel) owners who try to downgrade their firmware via ruu or recovery (sorry captn).
The firmware images involved are:
sbl1, sbl2, sbl3, tz and rpm.
Click to expand...
Click to collapse
I was on 1.73 firmware(older or stock) when i bricked my phone.so you mean i have create a mbn file from a device which has 1.73 firmware?
and also how do you check whether a particular mbn file belongs to particular firmware only?.please help me
i have these files which i uploaded.can you see if these can be used for this method.
also i got the same error as i got before after following the post#4 method.i will soon upload the log file to you
sorry for being a noob
thanks
saketh91 said:
I was on 1.73 firmware(older or stock) when i bricked my phone.so you mean i have create a mbn file from a device which has 1.73 firmware?
Click to expand...
Click to collapse
Yes. All you need is the image files from an update or ruu. Check your device's forum, I'm sure someone has posted full firmware zip's. Just grab the correct one and wait for instructions.
saketh91 said:
and also how do you check whether a particular mbn file belongs to particular firmware only?.please help me
i have these files which i uploaded.can you see if these can be used for this method.
Click to expand...
Click to collapse
The msimage.mbn is created from the firmware images (sbl1, sbl2, sbl3, tz, rpm) along with the partition information for that device.
Darkspr1te has been working on tools to create this file. Once he determines them to be ready, he will post them along with instructions on how to use them.
saketh91 said:
also i got the same error as i got before after following the post#4 method.i will soon upload the log file to you
sorry for being a noob
thanks
Click to expand...
Click to collapse
Thank you for your patience and support. I know it's been frustrating being without your phone for so long. We try to share information as soon as we learn it. But sometimes it takes longer than expected to develop ways to utilize our newly found knowledge.
-SLS-
Team Unlimited has (what I believe is) the stock RUU for the Evo 4g LTE for HBOOT 1.15, 1.15 and 2.09 here (EDIT: can't post links because I am a noob with under 10 posts)
Using QPST to flash MPRG8960.HEX and 8960_msimage.mbn it always fails on 'Sending Go Command 0x2A000000', which I think is the pbl authenticating sbl1? If you are right and find a way to insert the correctly signed files into the .mbn I owe you both a beer
SouL Shadow said:
Yes. All you need is the image files from an update or ruu. Check your device's forum, I'm sure someone has posted full firmware zip's. Just grab the correct one and wait for instructions.
The msimage.mbn is created from the firmware images (sbl1, sbl2, sbl3, tz, rpm) along with the partition information for that device.
Darkspr1te has been working on tools to create this file. Once he determines them to be ready, he will post them along with instructions on how to use them.
Thank you for your patience and support. I know it's been frustrating being without your phone for so long. We try to share information as soon as we learn it. But sometimes it takes longer than expected to develop ways to utilize our newly found knowledge.
-SLS-
Click to expand...
Click to collapse
thanks for the reply.i will definitely wait for you to come up with solution.I am just trying to help you by providing you with logs.I have full confidence in you.I will wait for sure.thanks for all the help.
withRandomPrecision said:
Team Unlimited has (what I believe is) the stock RUU for the Evo 4g LTE for HBOOT 1.15, 1.15 and 2.09 here (EDIT: can't post links because I am a noob with under 10 posts)
Using QPST to flash MPRG8960.HEX and 8960_msimage.mbn it always fails on 'Sending Go Command 0x2A000000', which I think is the pbl authenticating sbl1? If you are right and find a way to insert the correctly signed files into the .mbn I owe you both a beer
Click to expand...
Click to collapse
The files you refer to on Team Unlimited's site http://www.unlimited.io are the RUU's for the HTC Evo 4g LTE (jewel). For non-Htc ppl, an RUU is a windows executable that contains the full firmware and software for the given phone. Each RUU corresponds to a software release. Yes, the firmware images needed to create an msimage.mbn for jewel are contained in the RUU.
As for the mprg8960.hex:
The PBL does not perform OEM signature checking on the hex file. The hex file is built by Qualcomm before distributing the sources to the OEM's. It's sole function is to program blank or corrupted flash memory (nand, emmc, etc...) with the firmware bootloaders (sbl1, sbl2, sbl3, tz, rpm).
The address 0x2a000000 is where the mprg.hex is stored in memory. After upload the 'GO' command is used to transfer execution to the flash programmer (the hex file). The phone is supposed to acknowledge the 'GO' command before jumping to the new code. It appears that the 8960 firmware in use by HTC and Samsung has a bug and is not sending that acknowledgement. QPST waits for this acknowledgement before moving on to the next step. This is one of the reasons that prompted the creation of this thread, to develop an alternative to QPST.
Using the perl script posted above by Darkspr1te, other ppl have shown that the 'GO' command DOES transfer execution to the flash programmer and have used it to write the firmware (msimage.mbn) to emmc flash, but have not yet had success booting the loaded firmware. That is why I pointed out the need for the correct firmware version to be used to create the msimage.mbn.
-SLS-
SouL Shadow said:
Yes. All you need is the image files from an update or ruu. Check your device's forum, I'm sure someone has posted full firmware zip's. Just grab the correct one and wait for instructions.
-SLS-
Click to expand...
Click to collapse
i don't know exactly which firmware version which i was on before bricking my phone.but i definitely flashed a rooted sense rom. however i have all zips of the roms which i probably should have installed.also will this tool apply for every device(8960) even my at&t htc one x?
Great work!
SouL Shadow said:
The PBL does not perform OEM signature checking on the hex file.
Click to expand...
Click to collapse
How do you know this? (Other sources have claimed the opposite...)
...After upload the 'GO' command is used to transfer execution to the flash programmer (the hex file). The phone is supposed to acknowledge the 'GO' command before jumping to the new code. It appears that the 8960 firmware in use by HTC and Samsung has a bug and is not sending that acknowledgement. QPST waits for this acknowledgement before moving on to the next step.
Click to expand...
Click to collapse
a) This could be an effect of PBL signature check!
b) Even if not checked, they could easily have changed the acknowledgement string to anything else.
c) It could also be an effect of a blown Qfuse...
d) Are you saying that QPST is not connecting to your phone? (What QPST version are you using?)
Using the perl script posted above by Darkspr1te, other ppl have shown that the 'GO' command DOES transfer execution to the flash programmer and have used it to write the firmware (msimage.mbn) to emmc flash, ...
Click to expand...
Click to collapse
What other people? Do they even have the same phone?
E:V:A said:
Great work!
How do you know this? (Other sources have claimed the opposite...)
Click to expand...
Click to collapse
Qualcomm docs only mention verifying the hex, they say nothing about signature checking. For all we know it's simply verifying the uncorrupted download.
The hex is built by qualcomm and distributed with *other* files to the oem's/licensee's. It only needs to be changed when the actual hardware changes. The msimage.mbn is the oem specific component. There is no oem signature on the hex, however there may be a qualcomm signature or some kind of checksum to ensure it's a valid file.
E:V:A said:
a) This could be an effect of PBL signature check!
b) Even if not checked, they could easily have changed the acknowledgement string to anything else.
Click to expand...
Click to collapse
The acknowledgment does not contain any text. It's just a simple ACK reply.
E:V:A said:
c) It could also be an effect of a blown Qfuse...
d) Are you saying that QPST is not connecting to your phone? (What QPST version are you using?)
Click to expand...
Click to collapse
QPST hangs waiting for a response from the 8960 phones (htc evita, jewel, and sgs3), but other ppl (I don't know/remember who) using the above mentioned script have uploaded the hex and been able to communicate with the flash programmer. They were even able to upload the msimage.mbm. Although the .mbn used was probably the wrong build because after writing to emmc it did not boot in to the sbl. Either due to wrong files or older versions of firmware (causing a rollback error).
E:V:A said:
What other people? Do they even have the same phone?
Click to expand...
Click to collapse
This post: http://forum.xda-developers.com/showthread.php?p=36578082
Note the code part where it mentions 'openmulti' that command is only in the streaming download protocol which is used exclusively by the flash programmer.
EDIT 2013-01-28:
After a discussion with Ralekdev on IRC and reexamination of posted test results, it seems that the mprg8960.hex is NOT being executed. Will need to check the stored error code to see excatly why. Ralekdev was able to show me evidence of possible signature checking in the PBL. Again, we'll need to check the stored error code to confirm if that is the case. While this is a set back for msm8960 devices, it doesn't diminish the need for a full featured, open source, Linux replacement for QPST/QXDM.
-SLS-
SouL Shadow said:
Qualcomm docs only mention verifying the hex, they say nothing about signature checking. For all we know it's simply verifying the uncorrupted download.
Click to expand...
Click to collapse
Well, you should never trust Qualcomm documentation! By the time they write the documentation, there have been many changes.
Probably what you say is correct, but I'm not conviced since I haven't checked the code. It was a few months ago I was looking at this. Perhaps the HEX not checked for signature, since it's just the downloader. (But this doesn't make sense, since this would break the SecureBoot3 chain of trust.) But whatever is downloaded IS signature checked.
The acknowledgment does not contain any text. It's just a simple ACK reply.
Click to expand...
Click to collapse
Well, this is not how the Odin handshake looks like! There there is a short string, like "LOKE" / "ODIN" or something like that. (I don't remember it on top of my head.) So AFAIK, Odin is not working with these device, which would be an indication that they have changed the handshake. (What other kind of tools would the mobile operators use?)
QPST hangs waiting for a response from the 8960 phones (htc evita, jewel, and sgs3), but other ppl (I don't know/remember who) using the above mentioned script have uploaded the hex and been able to communicate with the flash programmer. They were even able to upload the msimage.mbm. Although the .mbn used was probably the wrong build because after writing to emmc it did not boot in to the sbl. Either due to wrong files or older versions of firmware (causing a rollback error).
Click to expand...
Click to collapse
Exactly.
Is it possible to access the bootloader output via USB UART for htc 8960 devices? Seems like this might be useful to get PBL/SBL output for a bricked device.
E:V:A said:
Well, you should never trust Qualcomm documentation! By the time they write the documentation, there have been many changes.
Probably what you say is correct, but I'm not conviced since I haven't checked the code. It was a few months ago I was looking at this. Perhaps the HEX not checked for signature, since it's just the downloader. (But this doesn't make sense, since this would break the SecureBoot3 chain of trust.) But whatever is downloaded IS signature checked.
Click to expand...
Click to collapse
Take a look at the creation date on the hex files in the source archive. They were created in November 2011. But that build is from a later date (I don't have it in front of me, but I think it's from april 2012). That source archive is directly from qualcomm. Why is that important? Because it shows that even with most changes to the source, the hex files don't need to be rebuilt. Besides, the flash programmer is fairly limited in what it can do. It's purpose is to rewrite the bootloaders to blank or corrupted nand/nor/emmc flash. Once written the phone will shut down and attempt to boot normally. Secure Boot only covers the boot process from power on to hardware initialization, security environment setup and finally loading appsbl. Everything after that is up to the oem to do whatever they choose. Although, interestingly enough, team unlimited was able to create a custom hboot (htc's appsbl) which will load normally even with signature checking...
E:V:A said:
Well, this is not how the Odin handshake looks like! There there is a short string, like "HELLO" / "ODIN" or something like that. (I don't remember it on top of my head.) So AFAIK, Odin is not working with these device, which would be an indication that they have changed the handshake. (What other kind of tools would the mobile operators use?)
Click to expand...
Click to collapse
I don't think we're in odin anymore toto!
PBL, the good bootloader of the east suddenly appears to tell us that someone dropped a brick on secure boot. Now all these little pdf's are singing, telling us to follow the HDLC road. Along the way we'll meet some interesting new people. There's QDL who lacks a brain. The Hex-man with no heart. And Streaming Download, a protocol in need of a little courage. Together we can follow the HDLC road to reach the great wizard of qualcomm and use the ruby .mbn file to return us to odin. That's when we'll awake to find Auntie ( a || h )boot and uncle recovery. Adb is there and fastboot and android too!
(don't ask, I don't know either ...)
And back in reality:
I've never used odin (in fact the first time I even heard of it was reading the Verizon SGS3 unlocking thread, which is how I discovered your thread, which lead me to here), but it's my understanding that it is a Samsung only feature that is integrated on the appsbl level, providing similar functionality to HTC's RUU mechanism. Although odin appears to be much more advanced. I've seen numerous samsung users with qualcomm hardware mention how they were stuck in qdl mode and no longer able to access odin to recover.
Now if you'll excuse me, I suddenly have the urge to listen to Dark Side of the Moon...
-SLS-
withRandomPrecision said:
Is it possible to access the bootloader output via USB UART for htc 8960 devices? Seems like this might be useful to get PBL/SBL output for a bricked device.
Click to expand...
Click to collapse
Sort of. Only JTAG can access full output. Error and other diagnostic info can be read from memory using the DMSS Download Protocol or through the DIAG interface.
Under Linux all communication is done via usb serial converter kernel module qcserial and device node /dev/ttyUSBn where n = your device number reported by the kernel dmesg. This goes for any modern qualcomm device using a usb port. Older products used a proprietary serial wiring (outlined in the DMSS Serial Data ICD document 80-V1294-1) to access these same protocols.
The pbl/sbl's all share the same qdl code base. They will transmit a "magic" string over usb, waiting only a programmed amount of time for a connection.
If you mount debugfs
Code:
mount -t debugfs none_debugfs /sys/kernel/debug
and load a kernel module usbmon
Code:
modprobe usbmon
then you can access raw usb streams, either per bus or for the entire computer. There's a raw text interface at /sys/kernel/debug/usb/usbmon
There's also raw binary interface through /dev/usbmon[N]
Also, see the kernel source docs:
<kernel source>/Documentation/usb/usbmon.txt
On a bricked phone qcserial will recognise the device and a ttyUSB will become available OR if sbl3 was successfully loaded usb mass storage will provide the enumerated emmc partitions (although using them is still a work in progress, I have an idea how to properly do it. Will post details once I can test it).
To utilize the qdl usb serial interface you need to use the DMMS Download Protocol outlined in document 80-39912-1 Revision E.
On a working phone there is a usb serial interface available as well. However the qcserial kernel module is not programmed with the oem's vid/pid, so it doesn't load. I've been able to connect to it via generic serial converter:
Code:
modprobe usbserial vender=0x<vid> product=<pid>
Then disconnect and reconnect the usb cable to the phone. dmesg will show the new ttyUSB device.
Unfortunately I haven't been able to actually do anything with it yet. On a working phone it should connect you to the modem which you can use AT commands to interact with. There is also an AT command to switch to DIAG mode. From DIAG more you would use the DMSS Serial Data protocol (doc 80-V1294-1 Revision YP), another HDLC based protocol, to interact.
I have a large number of doc's covering all the above mentioned items and much more (just over 100 pdf's). Unfortunately they are all watermarked with the actual username who had access. If someone has or can point me to a program that can remove said watermarks then I would happily share all of them.
-SLS-
SouL Shadow said:
... Unfortunately they are all watermarked with the actual username who had access. If someone has or can point me to a program that can remove said watermarks then I would happily share all of them.
Click to expand...
Click to collapse
Did you actually try to google that?
http://www.slideshare.net/linsu39/5-solutions-to-remove-pdf-watermark
http://download.cnet.com/We-PDF-Watermark-Remover/3000-18497_4-75593137.html
http://online2pdf.com/
http://www.freepdfconvert.com/#
http://foxyutils.com/splitpdf/
E:V:A said:
Did you actually try to google that?
http://www.slideshare.net/linsu39/5-solutions-to-remove-pdf-watermark
http://download.cnet.com/We-PDF-Watermark-Remover/3000-18497_4-75593137.html
http://online2pdf.com/
http://www.freepdfconvert.com/#
http://foxyutils.com/splitpdf/
Click to expand...
Click to collapse
Hah, yes I did. These pdf's are encrypted so most tools want a password to edit them. Looking for a Linux command line utility so I can strip about 100 pdf's. Found pdftk but it requires a password to work on encrypted pdf's. I was able to convert an encrypted pdf to a non-encrypted pdf using the pdftocairo tool... but that changes the raw pdf data so finding the watermark data is more difficult. Now I'm searching for a pdf editor since my linux distro didn't come with one. Unfortunately I've spent half my day off working on this when I could have been programming.
EDIT:
found qpdf on sourceforge!
qpdf + grep + sed = fully automated bash script to clean all the pdf's
EDIT2:
I now have a working script to remove the watermarks. Found a few bugs while cleaning my document archive. I will post it as soon as I can work them out.
-SLS-
E:V:A said:
Well, you should never trust Qualcomm documentation! By the time they write the documentation, there have been many changes.
Probably what you say is correct, but I'm not conviced since I haven't checked the code. It was a few months ago I was looking at this. Perhaps the HEX not checked for signature, since it's just the downloader. (But this doesn't make sense, since this would break the SecureBoot3 chain of trust.) But whatever is downloaded IS signature checked.
Well, this is not how the Odin handshake looks like! There there is a short string, like "LOKE" / "ODIN" or something like that. (I don't remember it on top of my head.) So AFAIK, Odin is not working with these device, which would be an indication that they have changed the handshake. (What other kind of tools would the mobile operators use?)
Exactly.
Click to expand...
Click to collapse
Absolutely correct. The download code itself has a mechanism to verify if it is valid. Some vendors check the download code before being executed if they are signed correctly, others leave the downloader as it is, but check the md5 signature within the downloader. However we managed to exploit the md5 verification to rewrite the msm7x bootloader to let us read full flash connected to radio. Not sure if they changed a lot regarding the msm89xx chipsets, but I'm going to have a look at that again, if needed. Regarding the flashing process, the flashed files are signed and checked for validity after uploading, rsa keys are in both amss and oemsbl.
Odin Protocol mainly belongs to samsung's own cpu/bootloader and has nothing to do with the qualcomm msm's/qsd's/qsc's.
What we speak of is the such called "QC Download Mode". Using the tty interface being in QC DM Mode you can just send the "3A" command to enter the "QC Download mode". For some mobiles, even if you have access to the radio download mode (qc) you cannot flash and repair the flash that belongs to the PDA part (most seen for those OMAP / MSM combinations). It's just because both cpu's use their own flash module for their firmware parts (means the flash isn't routed to both cpus, thus technically impossible).
WBR