Database Users

[DEV][WIP] PyAdb Python 2.7 Package [Windows/Unix]

KEarlier I saw a thread that demonstrated a python wrapper for the adb command. I remembered a while ago that adb uses a TCP protocol (duh it's written in the docs)
I had some spare time today so I decided to write a script for you all (I know how redundant it is, but hey why not)
This script incorporates the core functionality of adb into it, such as detecting your device... that's pretty much it at this stage..
so here it is. PyAdb​
I doubt this will brick anyone's devices... but just in case..
disclaimer:
if this bricks your device, it was not my fault. you used this at your own risk.
I don't care if this crashes your computers, or shoots you in the foot. you used it, not me
Click to expand...
Click to collapse
The general concept with how this works is below:
firstly, you have to choose your command from this list
secondly: the length of that command (in hexadecimal) needs to be prefixed before the command is sent. This is probably to do with security so the adb server on the device only reads the right amount of data
thirdly:... well there's not much more to it. just enjoy, tinker with it, and remember to contribute!!
note about getting device detected:
You need to ensure that the Android Debugging Bridge driver is installed for your device. this is normally supplied with standard device drivers. please refer to your device forums for instructions on how to install these
You also need to make sure your pc is authorised with stock adb, otherwise you won't be able to connect with PyAdb (for 4.2 upwards)
note about the current shell integration:
I now have a threaded interactive console, however single commands are still not read from a thread. If you want to use grep or kmsg, launch a full session

page not found!

Fixed link: https://github.com/cybojenix/PyAdb/
Looks like OP removed the file he linked to and forgot to change the link.

404 page not found?
cybojenix said:
Earlier I saw a thread that demonstrated a python wrapper for the adb command. I remembered a while ago that adb uses a TCP protocol (duh it's written in the docs)
I had some spare time today so I decided to write a script for you all (I know how redundant it is, but hey why not)
This script incorporates the core functionality of adb into it, such as detecting your device... that's pretty much it at this stage..
so here it is. PyAdb​
I doubt this will brick anyone's devices... but just in case..
disclaimer:
The general concept with how this works is below:
firstly, you have to choose your command from this list
secondly: the length of that command (in hexadecimal) needs to be prefixed before the command is sent. This is probably to do with security so the adb server on the device only reads the right amount of data
thirdly:... well there's not much more to it. just enjoy, tinker with it, and remember to contribute!!
note about getting device detected:
You need to ensure that the Android Debugging Bridge driver is installed for your device. this is normally supplied with standard device drivers. please refer to your device forums for instructions on how to install these
note about the current shell integration:
I haven't added a threaded data capture method yet, purely because I don't have time at the moment. it will (should) work with single commands. it isn't reliable for commands that take a while to run (such as grep)
Click to expand...
Click to collapse
404 page not found?

omegavesko said:
Fixed link: https://github.com/cybojenix/PyAdb/
Looks like OP removed the file he linked to and forgot to change the link.
Click to expand...
Click to collapse
lol yeah thanks. I did some file changes and forgot I linked to the file in the thread rather than the repo

Droid Ultra (possible Maxx) brick recovery

I want to post my findings here. It could be useful for developers playing with bootloaders, and for users who accidentally break their Droid.
DISCLAIMER: I am not responsible for any damage, caused to your phone, when you did something using information from this thread. Be extremely careful shorting any pins (and to do at YOUR OWN RISK)
There is two types of bricked device (by bricked I mean no fastboot available):
1. Device does not boot up, but responding to USB VIDID = 05c6:9008 = QHSUSB_DLOAD mode
This is qualcomm standard emergency download mode. This device become serial port (it is required drivers for Windows), and could be flashed with special protocol.
Attached is package which successfully recover Droid Ultra.
Once you see device with VIDID = 05c6:9008 = QHSUSB_DLOAD, you should run this command:
python qdload.py MPRG8960_MOTO.bin -ptf _ultra/partitions.txt
after this you should be able to use fastboot to flash desired official image back.
Tested on Windows, drivers for QHSUSB_DLOAD now included into package, serial port auto detection added, same command use. For both windows and linux you should have Python >= 2.6 installed, and PySerial installed.
2. Device not responding to USB, but start responding after battery disconnect (you need to disassemble your phone) as VIDID = 05c6:f006 = Qualcomm modem mode.
In most cases this mean that you has HARD bricked device. I still could not provide soft way to switch from this mode to QHSUSB_DLOAD mode, so currently with this situation you has only one possibility - is to find pin, which will force device to QHSUSB_DLOAD mode. For droid Ultra (and I believe Maxx) you could find this pin marked on picture attached. On my picture you could see, that I remove shield completely, but you could reach this pin by opening shield cup only. This is the shield near display connector. This pin should be grounded to force QHSUSB_DLOAD mode. Once you see device with VIDID = 05c6:9008 - STOP shorting pin to ground and follow unbrick 1 procedure.
If you not stopping SHORT ping to gound, you may have issues with uploading images in step 1 !!!
This both unbrick tested on Droid Ultra, but I assume it should work on Droid Maxx as well (I include _maxx folder with files for maxx).
Instruction to generate partitions.txt from working phone (Note you could have different name instead of mmcblk0):
1. adb shell dd if=/dev/block/mmcblk0 of=/sdcard/pt.bin bs=1024 count=10
2. adb pull /sdcard/pt.bin .
3. ./gpt_parser.py pt.bin > partitions.txt
Edit: Split package into 5 packages: 1. Image files for MAXX, 2 Image files for ULTRA, 3. Loader .bin for Motorola_8960 4. Window drivers for QHSUSB_DLOAD mode, 5. qdload.py script
qdload.py script updated to V1.2 with lot of usefull info printed.
move gpt_parser.py script to main post

VBlack said:
I want to post my findings here. It could be useful for developers playing with bootloaders, and for users who accidentally break their Droid.
DISCLAIMER: I am not responsible for any damage, caused to your phone, when you did something using information from this thread.
There is two types of bricked device (by bricked I mean no fastboot available):
1. Device does not boot up, but responding to USB VIDID = 05c6:9008 = QHSUSB_DLOAD mode
This is qualcomm standard emergency download mode. This device become serial port (it is required drivers for Windows), and could be flashed with special protocol.
Attached is package which successfully recover Droid Ultra.
Once you see device with VIDID = 05c6:9008 = QHSUSB_DLOAD, you should run this command:
python qdload.py MPRG8960.bin _ultra/partitions.txt
after this you should be able to use fastboot to flash desired official image back.
I didn't test it on Windows, but it could work, you just need to specify COM port, by additional parameter to qdload.py:
python qdload.py -tty COM10 MPRG8960.bin _ultra/partitions.txt
2. Device not responding to USB, but start responding after battery disconnect (you need to disassemble your phone) as VIDID = 05c6:f006 = Qualcomm modem mode.
In most cases this mean that you has HARD bricked device. I still could not provide soft way to switch from this mode to QHSUSB_DLOAD mode, so currently with this situation you has only one possibility - is to find pin, which will force device to QHSUSB_DLOAD mode. For droid Ultra (and I believe Maxx) you could find this pin marked on picture attached. On my picture you could see, that I remove shield completely, but you could reach this pin by opening shield cup only. This is the shield near display connector. This pin should be grounded to force QHSUSB_DLOAD mode. Once you see device with VIDID = 05c6:9008 - follow unbrick 1 procedure.
This both unbrick tested on Droid Ultra, but I assume it should work on Droid Maxx as well (I include _maxx folder with files for maxx).
Click to expand...
Click to collapse
WOW! Nice job, bud.
I would normally ask you to add a disclaimer to be extremely careful shorting any pins (and to do at YOUR OWN RISK), but anyone who needs to do this is already in a pickle, and their device useless.
Great work, impressive.

samwathegreat said:
WOW! Nice job, bud.
I would normally ask you to add a disclaimer to be extremely careful shorting any pins (and to do at YOUR OWN RISK), but anyone who needs to do this is already in a pickle, and their device useless.
Great work, impressive.
Click to expand...
Click to collapse
Done, I also add note about stop shorting this pin to ground once you get to QDL MODE, since it will cause eMMC instability, and may forbid to flash images.
Add: Package repacked with drivers for windows and updated version of qdload.py with windows serial port auto detection.

VBlack said:
I want to post my findings here. It could be useful for developers playing with bootloaders, and for users who accidentally break their Droid.
DISCLAIMER: I am not responsible for any damage, caused to your phone, when you did something using information from this thread. Be extremely careful shorting any pins (and to do at YOUR OWN RISK)
There is two types of bricked device (by bricked I mean no fastboot available):
1. Device does not boot up, but responding to USB VIDID = 05c6:9008 = QHSUSB_DLOAD mode
This is qualcomm standard emergency download mode. This device become serial port (it is required drivers for Windows), and could be flashed with special protocol.
Attached is package which successfully recover Droid Ultra.
Once you see device with VIDID = 05c6:9008 = QHSUSB_DLOAD, you should run this command:
python qdload.py MPRG8960.bin _ultra/partitions.txt
after this you should be able to use fastboot to flash desired official image back.
I didn't test it on Windows, but it could work, you just need to specify COM port, by additional parameter to qdload.py:
python qdload.py -tty COM10 MPRG8960.bin _ultra/partitions.txt
Tested on Windows, drivers for QHSUSB_DLOAD now included into package, serial port auto detection added, same command use. For both windows and linux you should have Python >= 2.6 installed, and PySerial installed.
2. Device not responding to USB, but start responding after battery disconnect (you need to disassemble your phone) as VIDID = 05c6:f006 = Qualcomm modem mode.
In most cases this mean that you has HARD bricked device. I still could not provide soft way to switch from this mode to QHSUSB_DLOAD mode, so currently with this situation you has only one possibility - is to find pin, which will force device to QHSUSB_DLOAD mode. For droid Ultra (and I believe Maxx) you could find this pin marked on picture attached. On my picture you could see, that I remove shield completely, but you could reach this pin by opening shield cup only. This is the shield near display connector. This pin should be grounded to force QHSUSB_DLOAD mode. Once you see device with VIDID = 05c6:9008 - STOP shorting pin to ground and follow unbrick 1 procedure.
If you not stopping SHORT ping to gound, you may have issues with uploading images in step 1 !!!
This both unbrick tested on Droid Ultra, but I assume it should work on Droid Maxx as well (I include _maxx folder with files for maxx).
Click to expand...
Click to collapse
This is great!! Mind if i add it here? With proper credits of course? Or quote you?
http://forum.xda-developers.com/moto-x/general/how-to-resurrecting-bricked-moto-x-t2629057

Sure, no problem, but you need your own set of files for moto x (could be obtained from fastboot oficial image), and partitions.txt.
partitions.txt you could obtain using following instruction from working phone:
1. adb shell dd if=/dev/block/mmcblk0 of=/sdcard/pt.bin bs=1024 count=10
2. adb pull /sdcard/pt.bin .
3. ./gpt_parser.py pt.bin > partitions.txt
Edit: gpt_parser moved to main post.

VBlack said:
I want to post my findings here. It could be useful for developers playing with bootloaders, and for users who accidentally break their Droid.
DISCLAIMER: I am not responsible for any damage, caused to your phone, when you did something using information from this thread. Be extremely careful shorting any pins (and to do at YOUR OWN RISK)
There is two types of bricked device (by bricked I mean no fastboot available):
1. Device does not boot up, but responding to USB VIDID = 05c6:9008 = QHSUSB_DLOAD mode
This is qualcomm standard emergency download mode. This device become serial port (it is required drivers for Windows), and could be flashed with special protocol.
Attached is package which successfully recover Droid Ultra.
Once you see device with VIDID = 05c6:9008 = QHSUSB_DLOAD, you should run this command:
python qdload.py MPRG8960.bin _ultra/partitions.txt
after this you should be able to use fastboot to flash desired official image back.
I didn't test it on Windows, but it could work, you just need to specify COM port, by additional parameter to qdload.py:
python qdload.py -tty COM10 MPRG8960.bin _ultra/partitions.txt
Tested on Windows, drivers for QHSUSB_DLOAD now included into package, serial port auto detection added, same command use. For both windows and linux you should have Python >= 2.6 installed, and PySerial installed.
2. Device not responding to USB, but start responding after battery disconnect (you need to disassemble your phone) as VIDID = 05c6:f006 = Qualcomm modem mode.
In most cases this mean that you has HARD bricked device. I still could not provide soft way to switch from this mode to QHSUSB_DLOAD mode, so currently with this situation you has only one possibility - is to find pin, which will force device to QHSUSB_DLOAD mode. For droid Ultra (and I believe Maxx) you could find this pin marked on picture attached. On my picture you could see, that I remove shield completely, but you could reach this pin by opening shield cup only. This is the shield near display connector. This pin should be grounded to force QHSUSB_DLOAD mode. Once you see device with VIDID = 05c6:9008 - STOP shorting pin to ground and follow unbrick 1 procedure.
If you not stopping SHORT ping to gound, you may have issues with uploading images in step 1 !!!
This both unbrick tested on Droid Ultra, but I assume it should work on Droid Maxx as well (I include _maxx folder with files for maxx).
Click to expand...
Click to collapse
this should be stickied for all of android. while i realize your methods were device specific, i'm guessing there are enough similarities in your situation that it can be applied globally.

640k said:
this should be stickied for all of android. while i realize your methods were device specific, i'm guessing there are enough similarities in your situation that it can be applied globally.
Click to expand...
Click to collapse
It is Qualcomm specific. Most of current Qualcomm chips has emergency download mode. the only problem is to have proper load file MPRG8960.bin is for 8960 chips family, and looks like Motorola specific (maybe I'm wrong). So for sure not all Android device could use this, but most Qualcomm device should be fine, you just need model specific set of files, which, for example, Motorola provides with fastboot flashable images.

good points and good observations. this thread definitely shouldn't get buried in a single (aging) device. there's good info here.

I don't know if it is a problem, but I used this script to try and unbrick my phone.
When running as #1 as you state above, there is a "finished with errors" after the script. So I looked at it and saw that "MPRG8960.bin" was going to be pushed to the phone and the next line states "File not found "MPRG8960.bin." Looking at the files, the file it was looking for was named "MPRG8960_MOTO.bin," so I changed it to the file it was looking for and it worked great.
I'm a noob when it comes to the guts of programming and utilities, but it's something I spotted and figured I would let you know.

This seems really promising for my bricked xt907...

HamBone625 said:
This seems really promising for my bricked xt907...
Click to expand...
Click to collapse
Op has no fix files for the M, they have never been leaked.

HamBone625 said:
This seems really promising for my bricked xt907...
Click to expand...
Click to collapse
Since XT907 use same Qualcomm chip MSM8960 - you could try to use this utility, but first you need to obtain partitions.txt from working XT907 according to instructions.
Files needed you could take from latest firmware package (sbl1.mbn, sbl2.mbn, sbl3.mbn, tz.mbn, rpm.mbn, emmc_appsboot.mbn is aboot.mbn)

MOTO X
Hi. Can somebody post the partitions.txt for the moto X? please
To get the partition.txt from a working moto X it has to be root?
thanks

When I execute the script on my Droid Mini, with their proper partitions txt file and the MBN files from the ULTRA, I got this:
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: com64
Requesting Params...
Params:
Version: 8
Min version: 1
Max write size: 1536 (0x00000600)
Model: 144
Device size: Invalid or unrecognized Flash device, or Flash device progr
amming not supported by this implementation
Device type: Intel 28F400BX-TL or Intel 28F400BV-TL
Requesting SoftwareVersion...
Version: PBL_DloadVER2.0
Requesting SerialNumber...
Serial number: 00,00,48,03
Requesting HW Id...
HW Id: 00,00,48,03,e1,10,7e,00
Requesting PublicKey...
PublicKey: 39,c4,ee,3e,b5,be,eb,87,8e,2f,e3,b8,53,4d,14,6f,91,ca,fd,bb,94,2a,0d
,aa,d0,1e,b0,87,62,d4,b9,b8
Uploading file 'MPRG8960_MOTO.bin' to addr 0x2a000000...
Executing...
Found TTY port: com64
Sending MAGIC ...
QCOM fast download protocol targ:
Version: 7
Compatible version 2
Maximum block size 1024 (0x00000400)
Base address of Flash 0x00000000
Flash: eMMC
Window size: 30
Number of sectors: 128
First sector size: 2097152 (0x00200000)
Feature bits: 09
Sending secureMode...
Sending openMulti ...
LOG: Open multi failed, unknown error
ERROR: 0x00000007: Open multi failed, unknown error
Sending SBL Reset...
Done, with errors!!!

Where I can get the MBN files for a Droid Mini?

Hi, you could try to find it inside one of official (fastboot) package for empty flashing like in Ultra package. It fails in very strange place - I will look at it on Monday.
Sent from my XT1080 using Tapatalk

VBlack said:
Hi, you could try to find it inside one of official (fastboot) package for empty flashing like in Ultra package. It fails in very strange place - I will look at it on Monday.
Sent from my XT1080 using Tapatalk
Click to expand...
Click to collapse
I tried the MBN files from a 4.4 fastboot from an Ultra and from the Droid Mini too, but i'm getting this errors, I don't know what's wrong or what I'm doing worng.
My phone powers up and can enter to fastboot, but it fails to boot, when i use "fastboot reboot" it reboot to QHSUSB_DLOAD... but well, something is wrong,,,

HELP
When i do the third step yo obtain partitions.txt (./gpt_parser.py pt.bin > partitions.txt)
i got a message
can't create partitions.txt: Read-only file system
any help?

C:\droid_ultra>python qdload.py MPRG8960_MOTO.bin -ptf _ultra/partitions.txt
'python' is not recognized as an internal or external command,
operable program or batch file.

BUZZAPT said:
When i do the third step yo obtain partitions.txt (./gpt_parser.py pt.bin > partitions.txt)
i got a message
can't create partitions.txt: Read-only file system
any help?
Click to expand...
Click to collapse
You should execute it on PC in writable folder.
Sent from my XT1080 using Tapatalk

[Partial] Hacking myford touch, were getting closer!!!

Ok Devs-
(ALSO sync owners, don't update your sync systems anymore by ford, we are getting close to unlock it, and they will put out updates to bork our hack).
I need some help please. I need to modify this POS sync. You can't do anything with it. I want to get navigation running or bluestacks to run android.
I got the official ford , usb reboot file I have attached it here. It has the signed files that we need.
I was able to tigger the install event with those files. And I believe this is our key to Jailbreak the system.
The best part is that you can run stacked commands on those install scripts. https://www.coalfire.com/The-Coalfire-Blog/October-2014-(1)/Reverse-Shells-and-Your-Car?feed=blogs
I have been struggling to get it it to execute, presumably, I don't know anything about win CE.
I have the win CE cmd.exe on my usb. Place it into the system, it recognizes and initiates upload. What the code below is trying to do is piggy back on the copy via stacked code to upload cmd.exe to the system then execute it. UNless there is another way to get a shell, once we get the shell, WE OWN THEM.
This is what my path is listed on my autoinstall.1st file -
Open1 = DelayedReboot.cab; cmd.exe \tmp\cmd.exe; \tmp\cmd.exe
the cab is required as it is signed by microsoft and bypasses the lock to load additional code.
Changing the semi colon to & makes it error out, so the semi colon is correct, just dunno if I have the paths right. Normally, it would be something like for linux /fs/usb0/etc...... but I am not sure about CE lists the usb device path...again I am win CE retarded. UNless there is a way to % to the paths, but I dunno much about win.
Sync, recognizes and executes with no errors. If I change my code a little, it will not work and say error.
SO what am I missing to get the cmd to run? Or is it already? I was expecting a shell to pop up?
If someone can point me in the right direction, or to point what file I can call to execute the onboard navigation, that would be awesome as well.
Even if we can't get a shell, I'd like to be able to execute a file, then I can run MIOpocket on this thing and ditch sync for android apps.
I have also attached the sync app developer guide link. With programming commands for apps.
https://developer.ford.com/uploads/DevConf%20-%20Track%205%20-%20Best%20Practices.pdf
Here is a link to the windows 7 automotive guide on how the system operates, kernel info, driver info, and stuff.
http://download.microsoft.com/download/0/A/1/0A1E07D6-7562-4566-AACF-E04DF4FF8879/A%20Technical%20Companion%20to%20Windows%20Embedded%20Automotive%207%20(final).pdf
UPDATE: 04/19/2015 -
While it is not a software hack, IT IS possible to unlock the navigation only portion of the MFT 8", if you have it without nav.
IF YOU DO THIS, YOUR CAR WARRANTY IS VOID. You've been warned.
It will cost a little money, but not set you back $1000 like nav tv and lockpick are charging. Maybe $100 or so.
Here is what you need to do, if you can't wait for us to unlock the bootloader.....
1 - Get a used APIM only part with the numbers DS7T in it. (aluminum only part with the fins, you DO NOT need the screen)
2 - Get the VIN# of the car it came out of and check the VIN to see if it was enabled with factory NAV. There are internet sites that will check the VIN for you. Must be a unit with NAV enabled.
http://researchmaniacs.com/VIN-Number-Lookup/WindowSticker/Ford.html
3. Install the APIM only to the back of your LCD.
4. The system will reboot and reset.
5. The system will them ask you to insert the NAV sd card, do that. (obviously, you have to buy a nav card from ebay as well, but those are $10)
6. Enjoy factory NAV for about $100
This is the only workaround for now. THE APIM is separate from the sync system and only interfaces with it. So, you will retain all your OEM VIN# locked stuff and it will survive reboots and updates. The nac actually just unlocks on that APIM portion, believe it or not. This method doesn't tie into the file system software, it merely accesses it.
Now.... if someone would be so kind as to just rip the NAND chip from one of those units and post it, so that we can just flash over our existing equipment, we can do this for FREE!!!!!!
Still working on the video bypass.... It would be nice if our Russian friends can start chiming in for that one please.....
DON"T FALL FOR THE EBAY GUY CHARGING $600 to $700 for this. Let's put him out of business.... Your help is needed.
PROPS TO rahrena8690 for the find.
WORKING FILE LINKS - FOR DEVELOPERS ONLY
Delayed Reboot project
https://mega.co.nz/#!m0BEWSrA!qrdgIRYTvccH52794ktdpRfrulI_pSdY3g-iiCyhaFs

awesome work
kthejoker20 said:
Ok Devs-
(ALSO sync owners, don't update your sync systems anymore by ford, we are getting close to unlock it, and they will put out updates to bork our hack).
I need some help please. I need to modify this POS sync. You can't do anything with it. I want to get navigation running or bluestacks to run android.
I got the official ford , usb reboot file I have attached it here. It has the signed files that we need.
I was able to tigger the install event with those files. And I believe this is our key to Jailbreak the system.
The best part is that you can run stacked commands on those install scripts. https://www.coalfire.com/The-Coalfire-Blog/October-2014-(1)/Reverse-Shells-and-Your-Car?feed=blogs
I have been struggling to get it it to execute, presumably, I don't know anything about win CE.
I have the win CE cmd.exe on my usb. Place it into the system, it recognizes and initiates upload. What the code below is trying to do is piggy back on the copy via stacked code to upload cmd.exe to the system then execute it. UNless there is another way to get a shell, once we get the shell, WE OWN THEM.
This is what my path is listed on my autoinstall.1st file -
Open1 = DelayedReboot.cab; cmd.exe \tmp\cmd.exe; \tmp\cmd.exe
the cab is required as it is signed by microsoft and bypasses the lock to load additional code.
Changing the semi colon to & makes it error out, so the semi colon is correct, just dunno if I have the paths right. Normally, it would be something like for linux /fs/usb0/etc...... but I am not sure about CE lists the usb device path...again I am win CE retarded. UNless there is a way to % to the paths, but I dunno much about win.
Sync, recognizes and executes with no errors. If I change my code a little, it will not work and say error.
SO what am I missing to get the cmd to run? Or is it already? I was expecting a shell to pop up?
If someone can point me in the right direction, or to point what file I can call to execute the onboard navigation, that would be awesome as well.
Even if we can't get a shell, I'd like to be able to execute a file, then I can run MIOpocket on this thing and ditch sync for android apps.
I have also attached the sync app developer guide link. With programming commands for apps.
https://developer.ford.com/uploads/DevConf%20-%20Track%205%20-%20Best%20Practices.pdf
Here is a link to the windows 7 automotive guide on how the system operates, kernel info, driver info, and stuff.
http://download.microsoft.com/download/0/A/1/0A1E07D6-7562-4566-AACF-E04DF4FF8879/A%20Technical%20Companion%20to%20Windows%20Embedded%20Automotive%207%20(final).pdf
Click to expand...
Click to collapse
I have been wanting to get into this system since the day I got my truck. All ford has succeeded in doing is piss me off with "updates" that didn't amount to much. I would be happy if they would at least allow applink on the touch systems, as that would at least give us some options to add our own work.
I would love to help, but don't have much experience with "rooting", Windows CE, etc. But looking at what you have so far, I will offer some thoughts that came to mind:
It seems to me that you are working at the bootloader level, not the OS level. I may be way off here, but this could be why cmd won't work, as the OS is not loaded, so a traditional shell is not yet possible.
If you are indeed at the OS level, I wonder since you didn't get any errors when trying to launch cmd, if it was indeed actually running. I know on windows systems, if you manage to launch a process as "system", you typically can't interact with it (security issue). I don't know CE at all, but wonder if PsExec would work if it is launching your exe, but as system...
If it is executing your exe as system, perhaps a script or small app that writes some info about the system to a file on the usb drive would help. IE, have it list the folder structure for example.
I know we are not alone on people wanting to work on this. It looks to me that with Sync 3 dumping MSFT, we may be left in the dust with no further updates, although, this guy has found some signs that it might still get some useful updates:
http://www.reddit.com/r/Ford/comments/2rf2cc/ford_may_announce_updates_to_sync_gen2_myford/
Thanks

kthejoker20 said:
Ok Devs-
(ALSO sync owners, don't update your sync systems anymore by ford, we are getting close to unlock it, and they will put out updates to bork our hack).
I need some help please. I need to modify this POS sync. You can't do anything with it. I want to get navigation running or bluestacks to run android.
I got the official ford , usb reboot file I have attached it here. It has the signed files that we need.
I was able to tigger the install event with those files. And I believe this is our key to Jailbreak the system.
The best part is that you can run stacked commands on those install scripts. https://www.coalfire.com/The-Coalfire-Blog/October-2014-(1)/Reverse-Shells-and-Your-Car?feed=blogs
I have been struggling to get it it to execute, presumably, I don't know anything about win CE.
I have the win CE cmd.exe on my usb. Place it into the system, it recognizes and initiates upload. What the code below is trying to do is piggy back on the copy via stacked code to upload cmd.exe to the system then execute it. UNless there is another way to get a shell, once we get the shell, WE OWN THEM.
This is what my path is listed on my autoinstall.1st file -
Open1 = DelayedReboot.cab; cmd.exe \tmp\cmd.exe; \tmp\cmd.exe
the cab is required as it is signed by microsoft and bypasses the lock to load additional code.
Changing the semi colon to & makes it error out, so the semi colon is correct, just dunno if I have the paths right. Normally, it would be something like for linux /fs/usb0/etc...... but I am not sure about CE lists the usb device path...again I am win CE retarded. UNless there is a way to % to the paths, but I dunno much about win.
Sync, recognizes and executes with no errors. If I change my code a little, it will not work and say error.
SO what am I missing to get the cmd to run? Or is it already? I was expecting a shell to pop up?
If someone can point me in the right direction, or to point what file I can call to execute the onboard navigation, that would be awesome as well.
Even if we can't get a shell, I'd like to be able to execute a file, then I can run MIOpocket on this thing and ditch sync for android apps.
I have also attached the sync app developer guide link. With programming commands for apps.
https://developer.ford.com/uploads/DevConf%20-%20Track%205%20-%20Best%20Practices.pdf
Here is a link to the windows 7 automotive guide on how the system operates, kernel info, driver info, and stuff.
http://download.microsoft.com/download/0/A/1/0A1E07D6-7562-4566-AACF-E04DF4FF8879/A%20Technical%20Companion%20to%20Windows%20Embedded%20Automotive%207%20(final).pdf
Click to expand...
Click to collapse
Thanks Pro. any new updates. Actually i just purchase Lincoln MKZ 2014, although i know it is hardware capable to run navigation since i get latitude and longitude, but unfortunately no navigation from the factory. i just play with My Lincoln Touch and on the sittings there is a tab for installing apps. so can we install and windows CE app?

Nothing yet.
Sync updates are rolled out every 6 months.
Rumor was that we are all getting blackberry upgrade from Microsoft.
Update is expected Feb 2015 or so.
We are sitting on the sidelines waiting to see what Ford will do, before we start porting over. There may be no need for our work if we get port link to the new system. I think Ford is on our side, as they don't want us open sourcing the system and have to deal with warranty claims.

kthejoker20 said:
Nothing yet.
Sync updates are rolled out every 6 months.
Rumor was that we are all getting blackberry upgrade from Microsoft.
Update is expected Feb 2015 or so.
We are sitting on the sidelines waiting to see what Ford will do, before we start porting over. There may be no need for our work if we get port link to the new system. I think Ford is on our side, as they don't want us open sourcing the system and have to deal with warranty claims.
Click to expand...
Click to collapse
i don't think so. we will not get the QNX update. I think it is a different system with different architecture and requirements. but i hope they unlock the FMT or LMT so we can install any windows ce app.

Please don't reply to this thread with comments or requests.
I'd like to keep it clean to only development comments.

Based on what I'm reading around the page 26 mark (bootloaders section of the windows embedded 7 pdf), it sounds like we need to attempt to give the IPL boot arguments to get into update or development mode and from there we could have a chance of pushing our own files. I would think update mode looks for a signature but dev mode might let anything in.

Way ahead if you. The attached file has the signature. I was able to successfully run stacked commands by modifying the attached reboot file. Problem, the command doesn't stick on reboot.

kthejoker20 said:
Way ahead if you. The attached file has the signature. I was able to successfully run stacked commands by modifying the attached reboot file. Problem, the command doesn't stick on reboot.
Click to expand...
Click to collapse
So you were able to launch a command prompt via the delayed reboot zip? I wonder if it would be possible to hack a sync update and then use this to push it.

I need a zip please... I can induce an update no command prompt yet
I can only run commands stacked, but I need to run a script on the sync side, but I can't figure out how to push the script to the sync

kthejoker20 said:
I need a zip please... I can induce an update no command prompt yet
I can only run commands stacked, but I need to run a script on the sync side, but I can't figure out how to push the script to the sync
Click to expand...
Click to collapse
This the latest myford touch update Gen2-V3.7.11
http://www.mediafire.com/?79v3d0d8972sy44
Here is the Delayed Reboot zip
http://outofmytouch.com/assets/delayed_reboot.zip

So some very quick looking tonight and I found EA5T-14D546-ATD contains the master patch. Decompiling some of the shockwave files I have found some interesting code. These would most likely be the files to hack to change factory behavior. Getting them flashed to a vehicle might be a whole other issue though.
Edit: After more browsing I think we need to target a master patch for an older version of Sync. I was looking at the master patch for the most current so there are going to be less files patched. I will have a peek at those later.

For some reason, the coalfire site took down it's information regarding the reverse shell of the infotainment system.
Here is what I am talking about with the command on the delayed reboot file. I have conveniently located the stacked command image and attached it for your viewing pleasure.
If we can patch the files, this is how we push them to the chip. Otherwise, I may have to PHYSICALLY pull the system files through JTAG tap... sigh... not really wanting to do that though...
If we can push them, we would have to unlock the bootloader to bypass the sigs... This is where my brain is staring to hurt....
Obviously, these commands do not apply to what we are doing, as that is QNX. Plus, I don't want any noobs spunking their system with our fashizzle yet...until we test it.
Just a final thought, as a plan B, we could reverse shell with the USB exploit as well... just saying.. might be easier

An integer overflow might work as well, but I have never experiemented on an embedded chip. Stacked command invoking an integer overflow, might give us write access to the system.

Has any thought gone into rewriting one of the dll's included in the latest patch to include some sort of backdoor? It seems it'd be easy (maybe I'm missing something here) to just modify the latest patch's install files to install our new dll.

I haven't had time yet, but I am going to try to USB otg pull.... I'm sure I can probably at least disable the vss lock.

kthejoker20 said:
I haven't had time yet, but I am going to try to USB otg pull.... I'm sure I can probably at least disable the vss lock.
Click to expand...
Click to collapse
When you tried running the cmd prompt with the stacked command approach did get any indications of the program running? I was thinking about adding some arguments to the end of the command to write a random file to the root of an available drive (like you said, who knows how the thumb drive is recognized).
Also, what type of processor does the system run on?
---------- Post added at 11:51 PM ---------- Previous post was at 11:30 PM ----------
duckboy81 said:
When you tried running the cmd prompt with the stacked command approach did get any indications of the program running? I was thinking about adding some arguments to the end of the command to write a random file to the root of an available drive (like you said, who knows how the thumb drive is recognized).
Also, what type of processor does the system run on?
Click to expand...
Click to collapse
I think I answered one of the questions. From the PDF you posted "A Technical Companion..." it's a Freescale IMX35 processor.
freescale.com/webapp/sps/site/taxonomy.jsp?code=IMX35_FAMILY&cof=0&am=0

Looking forward to following the progress of this thread! I hope that you all will discover a new solution to our these outdated systems! Good luck guys, I am rooting for you!

duckboy81 said:
When you tried running the cmd prompt with the stacked command approach did get any indications of the program running? I was thinking about adding some arguments to the end of the command to write a random file to the root of an available drive (like you said, who knows how the thumb drive is recognized).
Also, what type of processor does the system run on?
---------- Post added at 11:51 PM ---------- Previous post was at 11:30 PM ----------
I think I answered one of the questions. From the PDF you posted "A Technical Companion..." it's a Freescale IMX35 processor.
freescale.com/webapp/sps/site/taxonomy.jsp?code=IMX35_FAMILY&cof=0&am=0
Click to expand...
Click to collapse
Actually I am pretty sure the MyFord Touch processor is an I.MX51 acccording to a Ford PDF I found. Unfortunately I am new to posting here and it won't let me post links.
I work on the almost identical I.MX53 processor at work doing Linux kernel, u-boot boot loader, and Linux application software, so I might be able to help.
Most of the I.MX processors have built in ROM code that allows booting to a USB or Serial downloaded mode. This allows loading any software you want into any RAM address and then booting from it. Then you run completely out of RAM (like a live CD). Depending on how Ford setup the I.MX51 e-fuse settings, there may be an external pin that could be used to enter this serial downloaded mode. Freescale provides a tool called the MfgTool to load software using the serial download mode. Then you could load Linux, Android, or whatever. The e-fuses also allow you to lock out JTAG, serial downloaded mode, and enable boot time signature checking, but I am not sure if Ford used any of these to lock the system down.

Do we know where the processor is located in the fusion?

A quick tutorial of installing Windows RT 8.1 on recent Lumia

2/18 Update:
USB charging and controller works, audio probably works. Here's some update on this project:
Battery
Put C:\DPP and C:\EFIESP back. Nokia's driver reads C:\EFIESP\Battery.json in kernel mode (WTF). If you have NokiaEnergyDriver.sys and other PMIC/PEP/MIPI BIF (on some models) drivers installed, you should get battery show up.
Sign drivers?
Yes. Sign everything to prevent bad things from happening. I used a commercial certificate for conveience , but you don't have to do that. Here's a handy script that generates a self-signed certificate and installs it on your phone: https://gist.github.com/imbushuo/4de89ad18a0f538d8ebd18bf6daca56a
Download it, run it as administrator and specify ImageDir to your phone's partition (in mass storage mode). Then sign all your drivers binaries (and catalogs as well) with the fingerprint provided.
When signing your drivers, remember timpstamp all drivers. DigiCert's help documentation is useful for signing binaries.
Turn off UMCI
See https://forum.xda-developers.com/showpost.php?p=36394268&postcount=222. Set UMCIAuditMode key to allow all desktop applications and UMDF drivers load.
Make USB work
You will need several supplemental drivers from Windows Phone: BattFltr.sys, CAD.sys, ufx01000.sys, ufxsynposys.sys (or ufxchipidea.sys, depends on your chipset). Copy registry keys (HKLM\ControlSet001\Services and HKLM\ControlSet001\Enum\ROOT\CAD / HKLM\ControlSet001\Enum\ROOT\BattFltr) add supplemental WDF registry keys. Some files are attached as attachments, so you can take a look to get some idea about that.
Make Windows Store Apps work on unsupported resolution
See my blog post.
---------
While this project is not totally finished (e.g. No Battery status/charging unknown, no cellular, no audio), I decided to post this thread as many people asked me about the tutorial. This is just a brief tutorial, you need to have plenty of time on this to make this happen. Be careful as some steps are very dangerous.
This tutorial is provided AS-IS, without any implicit or expressed warranties. By reading this brief tutorial, you are agreed that you are taking your own risk trying this. I am not responsible for any possible consequences of installing Windows RT or other non-Windows Phone OS on Lumia phones. If your phone ships with Windows 10 Mobile, then this tutorial might not fit you. You can try drivers from other models, but I have no guarantee on this.
General workflow
- Unlock your phone with WPInternals 2.4
- Enter mass storage mode, copy registry files from MainOS partition
- Copy files from DPP partition
- Download Windows RT 8.1 ISO (publicly available on Internet, Google it)
- Download a Lumia 2520 recovery image for some files (I will post these files later)
- Download a Windows Phone 8.1 firmware for your phone
- Extract drivers, re-assembly INF files
- Patch some drivers (see my note)
- Self-sign some drivers (see my note)
- Make sure you know what you are doing: Delete MainOS and Data partition, create new NTFS partition for Windows RT. Do not touch other partitions.
- Apply system image (dism works fine)
- Copy DPP files back (C:\DPP)
- Modify sysprep tasks (see my note)
- Apply BCD configuration
- Boot
- Let OOBE fail once
- Go to mass storage mode again, mount registry and force OOBE run again
- Have fun
Notes on this project
ACPI
Reading ACPI DSDT table will help you understand your phone architecture. ACPI tables are located in PLAT partition. It is easy to extract them with 7-zip (after converting FFU to VHD). To decompile dsdt.aml, you need to download iASL tool, which is available on Internet.
Certain devices, like touch screen or panel, require other devices have driver loaded and enabled. This is not shown in Qualcomm's ACPI implementation. In my case, I need PEP, PEP 3rd, GPIO, BAM, I2C Device, QMUX, Shared Memory drivers loaded to make touchscreen work. It varies by model.
Re-assembly INF files
Mount SYSTEM registry from your phone or FFU, go to DriverDatabase\DriverPackages\<Some Driver Package>, each key in driver package key matches INF sections respectively. See some driver INF files to get some idea.
Remember to check ControlSet001\Service for additional information if necessary. If you are working on Windows Phone 8.1 firmware, check \Windows\System32\Packages to make sure you've got correct files and registry configs. These files are gzipped.
Patch drivers
Certain drivers read DPP partition for device-specific calibration information. While Qualcomm shares the codebase between Windows RT and Windows Phone, DPP partition is handled differently between platforms. You can search Unicode string "PhoneNT" to determine whether drivers read DPP or not.
To fool drivers think they are living in Windows Phone, you can create another multi-string value in the ProductOptions key. I created a value called "AnotherSuite" and filled "PhoneNT" in. Then I modified all "ProductSuite" Unicode strings in drivers to "AnotherSuite". Remember to re-calculate linker checksum (dependencies) and PE checksum.
This is critical to make wireless (Wi-Fi and Bluetooth) subsystem work.
Graphics
DO NOT use user-mode driver module from WP on Windows RT. The Windows Phone Qualcomm GPU driver does not implement DirectX 9, which is required by Windows desktop. Using WP UM driver will crash DWM.
To correctly enable GPU acceleration, use kernel driver and decoder module from your firmware, and user mode driver from Lumia 2520's recovery image. At least this works on Lumia 640 XL.
Touchscreen
Touchscreen works, however, WP driver reports wrong metric system to Windows RT. To workaround this, modify SYSTEM\TOUCH key, make some value larger than expected. See my value for 640XL in attachment.
Remove some sysprep tasks
Remove BCD and WinRE specialization and generalization tasks from sysprep task definition. OOBE will fail still. Boot to mass storage mode, mount SYSTEM registry, change setup type to 1 (see your current OS for ideas about other values), change program path to oobe\msoobe.exe. You should be able to see normal OOBE then.
BCD and Driver Signing
Test signing should be on. Disabling integrity check is recommended (though documentation says this key is ignored prior to Windows 10). Copy catalogs to the new OS, and self-sign drivers you patched.
Kernel Debugger
To enable WinDbg KD, modify your phone BCD:
Code:
bcdedit /store <Path> /dbgsettings usb TARGETNAME:WOATARGET
bcdedit /store <Path> /set {Your OS GUID} Debug On
Connect your phone to PC, start WinDbg, USB kernel debugging, target name "WOATARGET".
Have fun with Windows RT on Lumia, I am going to continue working on audio and battery

Follow
Ty Imbushuo , GREAT WORK

didnt you forgot to make efiesp guid to a efi partition else bcd cant be updated

Is there a way to patch the kernel or a bypass to avoid SECURITY_SYSTEM BSOD on MSM8960 devices?
Thanks for your work. I hope to get a newer Windows Phone soon and try Win10PE, I'm working on a custom shell that hopefully grants it a good experience on handheld devices since we lack ARMv7 ShellExperiences

J0SH1X said:
didnt you forgot to make efiesp guid to a efi partition else bcd cant be updated
Click to expand...
Click to collapse
Qualcomm's firmware is weird, so I didn't do that. (They hard-coded something) Maybe I will try it later with a dev board and see what will happen.

Fantastic job :good:
Is it possible to enable a second external monitor via Miracast ?
What about bluetooth keyboard and mouse ?
Lumia 950/XL should also support 2x monitors ( DisplayPort/HDMI via USB-C ).
It also has more RAM and might run apps better than L640.

imbushuo said:
Qualcomm's firmware is weird, so I didn't do that. (They hard-coded something) Maybe I will try it later with a dev board and see what will happen.
Click to expand...
Click to collapse
thats weired on my 930 this is NEEDED to get rt to boot but weired enough my 640 lte doesnt boot it at alll but sadly i dont get how to reassamble the inf files (im litterally just comparing my compiled touch driver inf with the registry of my 930)

I can not find the windows rt on the Internet. Can I send the file link download?
imbushuo said:
While this project is not totally finished (e.g. No Battery status/charging unknown, no cellular, no r FFU, go to DriverDatabase\DriverPackages\<Some Driver Package>, each key in driver package key matches INF sections res
Click to expand...
Click to collapse

I use google translate so it's hard to follow, it's great when you have a video tutorial, everything is more intuitive and easy.

INF files Qualcomm ARM-based View attachment Inf.zip

prokakavip said:
I use google translate so it's hard to follow, it's great when you have a video tutorial, everything is more intuitive and easy.
Click to expand...
Click to collapse
If you are an end user I would recommend waiting for WPInternals partition dumps for your device

I knew this solution... so they cant make general Qualcomm drivers never. Device specification is nightmare. Better get a hammer and deepmagic

Thank you for all the effort of going through this and providing the information.
Can somebody whoever upload fixed registry files and drivers? i was able to follow all steps successfully (except these parts) but on first boot i just get a blue screen with a sad smiley.
Also, i assumed you meant applying the install.wim image via DISM from the Windows RT 8.1 ISO.
(For those who need more help with this, Google: "Append, apply, and export volume images with a Windows Image (.wim) file",
i'm not allowed to post links due to post count).

Die Anleitung ist jetzt auch in deutsch verfügbar und hier zu finden:
Windows RT 8.1 auf ein Lumia installieren

WPVision.de said:
Die Anleitung ist jetzt auch in deutsch verfügbar und hier zu finden:
Click to expand...
Click to collapse
I registered and it still said i'm not allowed to visit the forum because i dont have permission.

D-V-D-K said:
I registered and it still said i'm not allowed to visit the forum because i dont have permission.
Click to expand...
Click to collapse
That's correct, because you did not follow the guidelines.
The activation for this area is done manually by your first post.

Samuelgames said:
If you are an end user I would recommend waiting for WPInternals partition dumps for your device
Click to expand...
Click to collapse
Can you upload your partition dumps for 640xl?

Removed. Sorry I was being rash.

spavlin said:
INF files Qualcomm ARM-based View attachment 4410518
Click to expand...
Click to collapse
but theese inffiles arent redone from registry
for example touch driver is missing

imbushuo said:
- Download a Lumia 2520 recovery image for some files (I will post these files later)
Click to expand...
Click to collapse
Use at your own risk!
Some Lumia 2520 Firmware And Driver Update ‎10. ‎6. ‎2014:
Code:
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/03/20623735_d3143757b17f94d00f53dc6f3f4dbdf48c36430e.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/03/20624060_4b5dec4829bf5e013bf5e6c045a4ed9367afe88d.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/03/20624064_70ea6951b8f7c7d72963c38e302356f46642ec85.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/03/20624552_3c10b74a53f010a90539ea1e606f562d65a03082.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/03/20626644_7f0f6945d5e0e19e78b3794490990145b98e2c0c.cab
http://au.ds.download.windowsupdate.com/d/msdownload/update/driver/drvs/2014/04/20639225_555ea122b93d34720513db1b344254a0a69a158c.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20639552_08956ac77c46334650fc675794d58325f279ddbb.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20640693_4d4f789e1349e350324fb7e31b60514ae191cb46.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20642401_1278d3d9f4ae8d1903ec0c6f0861ec9912139b96.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20643591_beca8afddf93a8679f6e875f5abfc44f9395975a.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20643598_4a154479fe2ad83eef04c99e96e44b0e88efce8e.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20643814_2d9a86009238af018f92aa76a9be453ef9231424.cab

[EXPLOIT] [BOOTLOADER] Mediatek based LG K10 2017 M250 bootloader secure boot bypass.

Hello.
I managed to bypass secure boot on LG K10 M250E (should also work on other versions like M250 M250N etc.)
See https://github.com/arturkow2000/lgk10exploit
This repository contains LK exploit capable of booting unsigned system and tools for reading/writing from/to device.
For instructions check README.md in repository.

Hi and sorry for the inconvenience, I am happy that you finally managed to make this exploit to this device which unfortunately I no longer have. But can this exploit be ported to other devices or is it just for this device?

XRed_CubeX said:
Hi and sorry for the inconvenience, I am happy that you finally managed to make this exploit to this device which unfortunately I no longer have. But can this exploit be ported to other devices or is it just for this device?
Click to expand...
Click to collapse
Exploit is only for this device.
However this repository also contains tools that can aid in creating exploits for other Mediatek based devices and tools that can read/write device memory, these should work most mt6755 devices as long as they can bypass preloader/bootrom security.
If you have any MT6755/MT6750 (should also work for MT6795/MT6797) device you can try using these tools as replacement for SP Flash Tool.

OficerX said:
Exploit is only for this device.
However this repository also contains tools that can aid in creating exploits for other Mediatek based devices and tools that can read/write device memory, these should work most mt6755 devices as long as they can bypass preloader/bootrom security.
If you have any MT6755/MT6750 (should also work for MT6795/MT6797) device you can try using these tools as replacement for SP Flash Tool.
Click to expand...
Click to collapse
I can flash partitions only in preloader mode with SP flash tool or with root with Android, however my problem is on an MT6737, which also has fastboot but not an unlockable bootloader and I would like to try to port it

See these:
https://github.com/xyzz/amonet
https://github.com/amonet-kamakiri/kamakiri
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
And these leeks:
https://gitlab.com/mt6797/vendor
https://gitlab.com/MT6795/vendor
Exploit works by crafting boot image that on load overrides LK data with payload, it works because mboot_android_load_bootimg does not check if it overlaps.
https://gitlab.com/MT6795/vendor/-/...otloader/lk/platform/mt6795/load_image.c#L811
Probably your device is vulnerable in same way.
See here how to craft boot image
https://github.com/arturkow2000/lgk10exploit/blob/master/microloader/inject_microloader_nougat.py
and here
https://github.com/amonet-kamakiri/kamakiri/blob/master/microloader/inject_microloader.py
At the beginning you could set inject_addr to some invalid address like 0x0 or 0xFFFFFFFF to trigger crash, LK will print all registers and stack pointer.
Do you have access to UART or some other way to get logs from crashed LK?

OficerX said:
See these:
https://github.com/xyzz/amonet
https://github.com/amonet-kamakiri/kamakiri
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
And these leeks:
https://gitlab.com/mt6797/vendor
https://gitlab.com/MT6795/vendor
Exploit works by crafting boot image that on load overrides LK data with payload, it works because mboot_android_load_bootimg does not check if it overlaps.
https://gitlab.com/MT6795/vendor/-/...otloader/lk/platform/mt6795/load_image.c#L811
Probably your device is vulnerable in same way.
See here how to craft boot image
https://github.com/arturkow2000/lgk10exploit/blob/master/microloader/inject_microloader_nougat.py
and here
https://github.com/amonet-kamakiri/kamakiri/blob/master/microloader/inject_microloader.py
At the beginning you could set inject_addr to some invalid address like 0x0 or 0xFFFFFFFF to trigger crash, LK will print all registers and stack pointer.
Do you have access to UART or some other way to get logs from crashed LK?
Click to expand...
Click to collapse
No, because I don't know how to solder, if there is no alternative to the UART I first try on another device to see if I can solder well.

Some devices expose UART over USB, see this: https://wiki.postmarketos.org/wiki/Serial_debugging
it may help.
If not try crashing LK, your device after reboot may show logs.
In my device when LK crashes after reboot it enters DemiGod Crash Handler which shows all relevant information.
Alternatively you may try porting this:
https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L421
This does temporary unlock lasting till reboot but it will allow you to run tampered LK.
Then you can redirect dprintf() calls in exception handler to video_printf().
This temporary unlock method uses gcpu to bypass BootROM range checks (bootrom checks memory address/length you read/write).
And then writes two magic values:
0x3B6C243C at 0x102080
0xF843E0A at 0x00102084
This causes preloader to ignore EFUSE state and turn Secure Boot off.
See amonet thread I linked in previous post, @xyz` described there how to disable range checks.
Use this to dump BootROM https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L455

XRed_CubeX said:
No, because I don't know how to solder, if there is no alternative to the UART I first try on another device to see if I can solder well.
Click to expand...
Click to collapse
No soldering, just pressure. It depends the device of course...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
http://cxzstuff.blogspot.com/2017/02/making-connections-ainol-crystal-dual.html

CXZa said:
No soldering, just pressure. It depends the device of course...
http://cxzstuff.blogspot.com/2017/02/making-connections-ainol-crystal-dual.html
Click to expand...
Click to collapse
No, forgive me but what is that? Pliers? How does it work?

XRed_CubeX said:
No, forgive me but what is that? Pliers? How does it work?
Click to expand...
Click to collapse
Yep. Pliers have rubber bands (not showing) to keep them closed holding those wires made out of copper paper clips. Visit the link to see bigger pics.

OficerX said:
Some devices expose UART over USB, see this: https://wiki.postmarketos.org/wiki/Serial_debugging
it may help.
If not try crashing LK, your device after reboot may show logs.
In my device when LK crashes after reboot it enters DemiGod Crash Handler which shows all relevant information.
Alternatively you may try porting this:
https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L421
This does temporary unlock lasting till reboot but it will allow you to run tampered LK.
Then you can redirect dprintf() calls in exception handler to video_printf().
This temporary unlock method uses gcpu to bypass BootROM range checks (bootrom checks memory address/length you read/write).
And then writes two magic values:
0x3B6C243C at 0x102080
0xF843E0A at 0x00102084
This causes preloader to ignore EFUSE state and turn Secure Boot off.
See amonet thread I linked in previous post, @xyz` described there how to disable range checks.
Use this to dump BootROM https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L455
Click to expand...
Click to collapse
OK, I managed to get the brom payload with the help of a friend of mine, however what do you mean by "Tampered LK"?
How can I modify this LK and boot it with this brom-payload?

XRed_CubeX said:
OK, I managed to get the brom payload with the help of a friend of mine, however what do you mean by "Tampered LK"?
How can I modify this LK and boot it with this brom-payload?
Click to expand...
Click to collapse
XRed_CubeX said:
OK, I managed to get the brom payload with the help of a friend of mine, however what do you mean by "Tampered LK"?
How can I modify this LK and boot it with this brom-payload?
Click to expand...
Click to collapse
https://drive.google.com/file/d/158G2a-xX_I3USwlIbxGw0mMUKsO_TaYU/view?usp=sharing
Use these strings to find video_printf
then look for references to "undefined abort, halting", "data abort", "prefetch abort", "unhandled syscall".
these are directly followed by call dprintf, change them to call video_printf
https://drive.google.com/file/d/1xCKjLaXFYoGimKmoeQojRtHRI9ZBhSGB/view?usp=sharing
Next call (here sub_4601C90C) is to function that dump registers and stack contents.
https://drive.google.com/file/d/1iLNVs-ntfjW33UhHWslRP8jSWWNPYS16/view?usp=sharing
Change all dprintf calls to video_printf.
Flash exploit and patched lk then reboot.
Your device should boot into directly into bootrom, then run unlock procedure, your device should resume booting and proceed to loading LK from.
Device after leaving bootrom should enter for a moment into preloader download, so before flashing anything you can use pl.py --identify command to check if SBC, SLA and DAA are all off to check if unlocking works.

OficerX said:
https://drive.google.com/file/d/158G2a-xX_I3USwlIbxGw0mMUKsO_TaYU/view?usp=sharing
Use these strings to find video_printf
then look for references to "undefined abort, halting", "data abort", "prefetch abort", "unhandled syscall".
these are directly followed by call dprintf, change them to call video_printf
https://drive.google.com/file/d/1xCKjLaXFYoGimKmoeQojRtHRI9ZBhSGB/view?usp=sharing
Next call (here sub_4601C90C) is to function that dump registers and stack contents.
https://drive.google.com/file/d/1iLNVs-ntfjW33UhHWslRP8jSWWNPYS16/view?usp=sharing
Change all dprintf calls to video_printf.
Flash exploit and patched lk then reboot.
Your device should boot into directly into bootrom, then run unlock procedure, your device should resume booting and proceed to loading LK from.
Device after leaving bootrom should enter for a moment into preloader download, so before flashing anything you can use pl.py --identify command to check if SBC, SLA and DAA are all off to check if unlocking works.
Click to expand...
Click to collapse
Correct me if I'm wrong but the addresses to change the secure boot are the same right?

OficerX said:
https://drive.google.com/file/d/158G2a-xX_I3USwlIbxGw0mMUKsO_TaYU/view?usp=sharing
Use these strings to find video_printf
then look for references to "undefined abort, halting", "data abort", "prefetch abort", "unhandled syscall".
these are directly followed by call dprintf, change them to call video_printf
https://drive.google.com/file/d/1xCKjLaXFYoGimKmoeQojRtHRI9ZBhSGB/view?usp=sharing
Next call (here sub_4601C90C) is to function that dump registers and stack contents.
https://drive.google.com/file/d/1iLNVs-ntfjW33UhHWslRP8jSWWNPYS16/view?usp=sharing
Change all dprintf calls to video_printf.
Flash exploit and patched lk then reboot.
Your device should boot into directly into bootrom, then run unlock procedure, your device should resume booting and proceed to loading LK from.
Device after leaving bootrom should enter for a moment into preloader download, so before flashing anything you can use pl.py --identify command to check if SBC, SLA and DAA are all off to check if unlocking works.
Click to expand...
Click to collapse
Hey,
Could you check those links? The second and the last one aren't working and I'd like to see how the function that dumps registers looks like (as reference).
Thanks :good:

XRed_CubeX said:
Correct me if I'm wrong but the addresses to change the secure boot are the same right?
Click to expand...
Click to collapse
I'm 99% sure they are, I found this while reversing seclib from MT6535, it turned out these addresses are valid for my SOC, your SOC is very similar to my and MT6535, so I think should correct.
But you can find it by looking for reads from 0x10206060 (efuses).
See here
https://drive.google.com/file/d/19kqoLTT0nKR7vmf9AwwHOy6ihKjqEoNo/view?usp=sharing
As you can see it checks for these values and if they match it disables secure boot.
https://drive.google.com/file/d/19ITt5NV9EZggnFjfbUmf_cp5WCPBG_m_/view?usp=sharing
https://drive.google.com/file/d/1JeBjTOwTOjdjBTZkQmaP22edgZEKPiBE/view?usp=sharing
Rortiz2 said:
Hey,
Could you check those links? The second and the last one aren't working and I'd like to see how the function that dumps registers looks like (as reference).
Thanks :good:
Click to expand...
Click to collapse
Oops, forgot to set permissions, now it's working.

OficerX said:
I'm 99% sure they are, I found this while reversing seclib from MT6535, it turned out these addresses are valid for my SOC, your SOC is very similar to my and MT6535, so I think should correct.
But you can find it by looking for reads from 0x10206060 (efuses).
See here
https://drive.google.com/file/d/19kqoLTT0nKR7vmf9AwwHOy6ihKjqEoNo/view?usp=sharing
As you can see it checks for these values and if they match it disables secure boot.
https://drive.google.com/file/d/19ITt5NV9EZggnFjfbUmf_cp5WCPBG_m_/view?usp=sharing
https://drive.google.com/file/d/1JeBjTOwTOjdjBTZkQmaP22edgZEKPiBE/view?usp=sharing
Oops, forgot to set permissions, now it's working.
Click to expand...
Click to collapse
Thanks you!
BTW, secure boot addresses are different for mt8163:

OficerX said:
Some devices expose UART over USB, see this: https://wiki.postmarketos.org/wiki/Serial_debugging
it may help.
If not try crashing LK, your device after reboot may show logs.
In my device when LK crashes after reboot it enters DemiGod Crash Handler which shows all relevant information.
Alternatively you may try porting this:
https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L421
This does temporary unlock lasting till reboot but it will allow you to run tampered LK.
Then you can redirect dprintf() calls in exception handler to video_printf().
This temporary unlock method uses gcpu to bypass BootROM range checks (bootrom checks memory address/length you read/write).
And then writes two magic values:
0x3B6C243C at 0x102080
0xF843E0A at 0x00102084
This causes preloader to ignore EFUSE state and turn Secure Boot off.
See amonet thread I linked in previous post, @xyz` described there how to disable range checks.
Use this to dump BootROM https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L455
Click to expand...
Click to collapse
Hi, I think that the option to modify the LK and modify the printf will take some time for now because unfortunately I don't have the knowledge and skills in using such a powerful tool as ida pro, another option that I you had advised, the UART via micro USB, it is not the first time I hear it and once I have already tried to build a UART with a micro usb cable but unfortunately I have not obtained any logs from the devices and I think I have built it wrong , I'll probably get a pre-made one from a shopping site. A friend of mine advised me not to use the microusb cable because it "probably" doesn't get the logs from a crashed LK.
So I ask you that you are probably sure or you have tried it, but UART via microusb is a good option?
From fastboot if I do "fastboot oem p2u on", fastboot responds and confirms so I can be sure my device supports UART. If anything you have any tips or tutorials to build a uart cable correctly?
My UART adapter is a CP2102, okay?
(P.S: My micro usb connector doesn't have a wire ID, ONLY D+, D- and GND and VCC)
(P.S2o you have any tips or tutorials to disassemble the binary well in ARM)

XRed_CubeX said:
Hi, I think that the option to modify the LK and modify the printf will take some time for now because unfortunately I don't have the knowledge and skills in using such a powerful tool as ida pro, another option that I you had advised, the UART via micro USB, it is not the first time I hear it and once I have already tried to build a UART with a micro usb cable but unfortunately I have not obtained any logs from the devices and I think I have built it wrong , I'll probably get a pre-made one from a shopping site. A friend of mine advised me not to use the microusb cable because it "probably" doesn't get the logs from a crashed LK.
So I ask you that you are probably sure or you have tried it, but UART via microusb is a good option?
From fastboot if I do "fastboot oem p2u on", fastboot responds and confirms so I can be sure my device supports UART. If anything you have any tips or tutorials to build a uart cable correctly?
My UART adapter is a CP2102, okay?
(P.S: My micro usb connector doesn't have a wire ID, ONLY D+, D- and GND and VCC)
(P.S2o you have any tips or tutorials to disassemble the binary well in ARM)
Click to expand...
Click to collapse
On my device at first I was booting modified LK, it was very slow process, at one point I couldn't move further, I had working exploit running my payload but I couldn't make it boot Linux (later it turned out that it did not load DTB, I added call to bldr_load_dtb and it worked then), device was just hanging.
I updated to Oreo, LG added crash handler so I did'nt have to boot patched LK anymore and this significantly sped up everything.
I could'nt use UART because LG disabled it.
When device boots preloader checks whether proper cable is connected and either switches USB into UART or leaves it as it is, but in my case this feature was disabled at compile time.
You can check in linux source in usb phy driver code that performs mode switch and then check if preloader or LK has it.
P.S. Now I have partially working UART, I enable it in payload (see microloader/linuxboot), it works (TX voltage goes high to ~3.3V), but I cannot get output till Linux boots, I still need to figure it out.
This won't help you in making exploit but can help later during kernel development.
If you won't get UART working then I think that patching LK is all you have left.

OficerX said:
On my device at first I was booting modified LK, it was very slow process, at one point I couldn't move further, I had working exploit running my payload but I couldn't make it boot Linux (later it turned out that it did not load DTB, I added call to bldr_load_dtb and it worked then), device was just hanging.
I updated to Oreo, LG added crash handler so I did'nt have to boot patched LK anymore and this significantly sped up everything.
I could'nt use UART because LG disabled it.
When device boots preloader checks whether proper cable is connected and either switches USB into UART or leaves it as it is, but in my case this feature was disabled at compile time.
You can check in linux source in usb phy driver code that performs mode switch and then check if preloader or LK has it.
P.S. Now I have partially working UART, I enable it in payload (see microloader/linuxboot), it works (TX voltage goes high to ~3.3V), but I cannot get output till Linux boots, I still need to figure it out.
This won't help you in making exploit but can help later during kernel development.
If you won't get UART working then I think that patching LK is all you have left.
Click to expand...
Click to collapse
Maybe you need to patch the cmdline? I don't know, I'm just throwing some ideas.

Rortiz2 said:
Maybe you need to patch the cmdline? I don't know, I'm just throwing some ideas.
Click to expand...
Click to collapse
I already did that, UART works in Linux, it doesn't work in LK, it's enabled but there is no output, I need it to get working as early in boot process as possible to debug 64 bit kernel (for it's not booting at all)
My UART driver must faulty.
I turned in Linux most stuff related usb, gpio, clocks into no-op and UART is still working.
Right now i'm porting TWRP, but whem I finish it I will try again with uart.