linux.automation.dn.ua

[darion]

This is translated part of http://forum.motofan.ru/index.php?showtopic=157514&st=70

A bit of theory.
Hole discovered in the boot loader irom-BP. When the phone power on, at first boot (mbm AP-parts) loads into RAM bp-loader, and passes the command to BP to start bp-loader. irom-bootloader of BP checks the bp-loader signature , and if it all goes well - passes execution to bp-loader. The important point - just before the signature verification, irom loader of BP checks for the existence of pointer to some structure in header of bp-loader , and if the pointer exist - parse this structure . This structure, in addition to the header, contains a set of addresses and values; irom-loader writes to each of the addresses (if the address in his opinion correct) the apropriate value . Thus it is possible to fill in the structure with our values and pass it to BP for crack boot AP (AP-boot are currently loaded into the ram, his signature has been verified previously and it awaits a response from BP, that bp-loader has been check signature). In doing so, this structure can be passed after the signature and describe the patch in it to convert bp-loader header to the original state for normal signature check ..
Necessary additions to the bp-loader:
Locate the structure of the following format after bp-loader signature :
the first four bytes from the beginning of the structure - 0xB17219E9 - is a constant for verifie the correctness of the structure.
The following four bytes - the size of the structure (must be a multiple of eight, but not more than 256).
After that follows the list of addresses and values (four bytes for the address and four - on the value).
At the bp-loader header must be placed a pointer to this structure (four-byte address +0 x14 from the bp-loader start) and a pointer to this list. (at the +0x0c from the beginning of bp-loader) . So, to successful check signature by bp-loader we will need to return the header to the original state (usually in the data fields is zero values) and, therefore, the first patch described in the structure - is for the fill in zero values to the data fields . Then follow the patches that should be applied to ap-boot . After some experiments I have got a minimum set of patches of boot that cause the phone to work with unsigned firmware for boots 06.a3 (e8) and a3.cf (v8) - numbers that "survived" until victory ..
Patches depend on the boot versions, when you install the wrong patch, or the right, but not the corresponding versions of boot - get the corpse. I has dead z6 - have tried it on earlier versions of patches, which I did not take into account certain checks in boot, the dimichxp -- killed E8.. Is it possible to restore these phones - the big question .
Well, the basic things like all wrote. I attache the boots, who just need to flash to the phone if your phone version of boot coincides with one of these. While even it coincides - think again whether you realy need it))

If a man takes to port it to other versions of boots / phones - keep in mind that you need to be extremely careful and recheck all that do, the attempt is likely to be only one!