Related
I put the cab on my MDA Compact and installed it.
Using File Explorer I can see a folder in Program Files and an Icon in the Programs window.
This has the four Icons, Hide, Lock, Unhide and Unlock!
My extended-rom folder is visable in File Explorer so I tokk it that I didn't have to 'Unhide' it.
So pressed the unlock icon and got a window with debug and ok in the title and Error: I click ok.
1.When I get back to my desktop I have another debug, etc window with following FL_IOCTL_BDTL_HW_PROTECTION. I click ok.
2.The next debug window says The Parameter is incorrect. I click ok again.
3. The next says extrom unlocked. I click ok.
I am taken back to '1' and go through 2 and 3 again. The windows go away.
I soft reset the MDA, by using the stylus underneath it.
I go back to file explorer and into the extended_rom folder and try deleting the TMO_Wallpaper and am told access is denied!
Not sure what else to try, but guess the unlock didn't work or I have missed something. Please be kind, if you reply.
Re: I can't get this to work either, have I missed something
so3 said:
So pressed the unlock icon and got a window with debug and ok in the title and Error: I click ok.
1.When I get back to my desktop I have another debug, etc window with following FL_IOCTL_BDTL_HW_PROTECTION. I click ok.
Not sure what else to try, but guess the unlock didn't work or I have missed something. Please be kind, if you reply.
Click to expand...
Click to collapse
Hi,
I am not sure if it works for you to,
I have had the same problem, FL_IOCTL_BDTL_HW_PROTECTION on my screen. Device didnt unlock either.
Tried to do it in any possible way,
even on the fora over here.
But the one wich i skipped, or didn't found was the correct one for me,
Personal i Think my Windows Screwed the files up, but thats F%CK*#G WINLOOS.
So i went to the ftp part of this site, and just downloaded the unlock tool again,
Just did an hardboot of the device, installed the fresh download i obtained.
First unhided it, than reset, followed by unlock, and guess what it said?!?
Rom was unlocked.
So not an single error in my case, hopes it will work for u to.
It is not always your mda who fails, your pc can do this much better.
:arrow: :mrgreen:
How do I get to the FTP site, please?
http://wiki.xda-developers.com/index.php?pagename=BA_FTP_Site
Ok I think i have got to the ftp site, I say I think because when I clicked on the link it took me stright there, it didn't ask me for a username or password :?:
Anyway I searched all what I thought were the relevant folders and some that weren't and couldn't find the file
Can anyone help?
your device is called magician as codename
try looking in the sub dirs under there
I don't want to appear rude, but I have searched all the folders, etc!
A lot of phones will only boot if the firmware has a valid signature. Does the Samsung Wave check the firmware's signature (if there is one)?
In case of Bootloader I can confirm Signature check.
Because bricked after changing text...
boot_loader.mbn ---> yes, sure
dbl.mbn ---> not tested, but I think yes, because Qualcomm part...
All other files have no valid/mandatory Signature check.
You can modify all files.
Accept MD5 Hash for Multiloader, but this you can disable.
Handset self not check.
Best Regards
Can you tell us what you want to do??
Well, what I really want to know is if the hardware performs signature verification. For example, the bootloader in most HTC phones checks the signature of the firmware and will proceed to boot if it is valid. Replace the bootloader with your own custom bootloader and know checks are performed and you can put anything you want on it because the hardware does not check the signature of the bootloader. I also might want to modify Bada firmware, too. It is a different operating system or platform or whatever you want to call it and it looks like it would be fun to play around with. I own a Motorola DROID 2 Global.
Does anyone understand what I'm talking about?
Read it
http://forum.xda-developers.com/showpost.php?p=12213290&postcount=21
I'm afraid that is not clear enough. Has anyone tried to flash an alternative bootloader. And please, read my terminology. When I say bootloader, I mean software not the etched boot rom.
Has anyone tried to flash an alternative bootloader.
Click to expand...
Click to collapse
In case of our Flash Tool Multiloader we have only 2 files:
boot_loader.mbn----> "Samsung part"
dbl.mbn------------> "Qualcomm part"
As we have 2 CPU inside, 1 from Qualcomm... Call Processor, the other from Samsung = Application Processor.
So in most cases dbl.mbn is complete untouched in my tests. But I've failed in:
---> changing to oldest "unprotected" Boot XXJB6
---> changing to S8530 Boot (dbl.mbn is 1:1 same)
---> changing to modified S8500 Boot = bricked, but reanimated with JTAG
You can see my attempts here:
http://forum.xda-developers.com/showthread.php?t=897468
Boot means boot_loader.mbn, but I was tooo lazy to write full.
Best Regards
Master Melab said:
Has anyone tried to flash an alternative bootloader.
Click to expand...
Click to collapse
Oleg succeed doing it with JTAG. It is sure that it's also possible to do through FOTA, but there is almost no way to succeed at first try, so JTAG is also required there for the first tries. And... why would we do that? ;d
Also, iROM seems to perform some checksum validation, but as we can see from oleg's example - even without correct checksum it starts altered bootloader from oneNAND.
OK, getting to formal terminology there are several cryptographic services implemented on Wave bootloader level:
- integrity - on each loader stage
- authentication - modules loaded are verified using hardcoded (in BL3) public key
- confidentiality - some modules are encrypted using symmetric key cryptography
You may as well find some access control (implicit coming from symmetric key confidentiality and loading protocol requiring proper unlock procedure) and non-repudiation elements (storing the history of loaded components).
In more general view:
When talking about bootloader level software, it makes no sense to differentiate between hardware and software verification. It all comes to completeness of the verification chain. In most cases bootloader provides the only designated interface (with the presumption of not intruding hardware components) that is available for writing executable components into non-volatile memory used in the booting process.
Bearing that in mind, I would add to the locked bootloader definition that it does not only verify kernel, but verifies all executable components that take part in the booting process (including bootloader, of course).
Rebellos said:
Oleg succeed doing it with JTAG. It is sure that it's also possible to do through FOTA, but there is almost no way to succeed at first try, so JTAG is also required there for the first tries. And... why would we do that? ;d
Also, iROM seems to perform some checksum validation, but as we can see from oleg's example - even without correct checksum it starts altered bootloader from oneNAND.
Click to expand...
Click to collapse
What is [the] "iROM"?
Sent from my DROID2 GLOBAL using XDA App
mijoma said:
OK, getting to formal terminology there are several cryptographic services implemented on Wave bootloader level:
- integrity - on each loader stage
- authentication - modules loaded are verified using hardcoded (in BL3) public key
- confidentiality - some modules are encrypted using symmetric key cryptography
You may as well find some access control (implicit coming from symmetric key confidentiality and loading protocol requiring proper unlock procedure) and non-repudiation elements (storing the history of loaded components).
In more general view:
When talking about bootloader level software, it makes no sense to differentiate between hardware and software verification. It all comes to completeness of the verification chain. In most cases bootloader provides the only designated interface (with the presumption of not intruding hardware components) that is available for writing executable components into non-volatile memory used in the booting process.
Bearing that in mind, I would add to the locked bootloader definition that it does not only verify kernel, but verifies all executable components that take part in the booting process (including bootloader, of course).
Click to expand...
Click to collapse
Please define "BL3". (A stage 3 bootloader?) Yes good point about my definitions, I will add your suggestion. Does the Wave's bootloader use RSA, El Gamal, etc.?
Edit: But, in my mind it does make sense to differentiate the hardware and software.
Sent from my DROID2 GLOBAL using XDA App
Master Melab said:
What is [the] "iROM"?
Sent from my DROID2 GLOBAL using XDA App
Click to expand...
Click to collapse
iROM is a chip that contains code to load the very first bootloader from NAND, it cannot be modified i believe.
Rebellos said:
Also, iROM seems to perform some checksum validation, but as we can see from oleg's example - even without correct checksum it starts altered bootloader from oneNAND.
Click to expand...
Click to collapse
Catching errors, maybe?
Master Melab said:
Please define "BL3". (A stage 3 bootloader?) Yes good point about my definitions, I will add your suggestion. Does the Eave's bootloader use RSA, El Gamal, etc.?
Click to expand...
Click to collapse
Yes, I mean stage 3 bootloader.
There are 3 hardcoded public RSA keys. All 512 bit with 2^16+1 exponent.
Master Melab said:
Edit: But, in my mind it does make sense to differentiate the hardware and software.
Click to expand...
Click to collapse
Please justify the differentiation and define what you understand by hardware as I'm not sure whether you are really serious about it or not.
mijoma said:
Yes, I mean stage 3 bootloader.
There are 3 hardcoded public RSA keys. All 512 bit with 2^16+1 exponent.
Please justify the differentiation and define what you understand by hardware as I'm not sure whether you are really serious about it or not.
Click to expand...
Click to collapse
When I say "bootloader" think GNU GRUB and Windows' NTLDR—that is software. The reason for the differentiation is that the bootloader as defined in the PC world, the iOS hacking community, and other parts of the mobile development community is replaceable/flashable. When I refer to "hardware-based verification" I am talking about instructions physically etched on the chip that will perform some sort of signature or hash check of the lowest level of the boot chain. The "low level bootloader" or "LLB" in iOS is checked by the iPad/iPhone/iPod touch's boot ROM. The public key that is used to verify the LLB's signature is represented as physical breaks in the silicon.
Master Melab said:
When I say "bootloader" think GNU GRUB and Windows' NTLDR—that is software. The reason for the differentiation is that the bootloader as defined in the PC world, the iOS hacking community, and other parts of the mobile development community is replaceable/flashable. When I refer to "hardware-based verification" I am talking about instructions physically etched on the chip that will perform some sort of signature or hash check of the lowest level of the boot chain. The "low level bootloader" or "LLB" in iOS is checked by the iPad/iPhone/iPod touch's boot ROM.
Click to expand...
Click to collapse
Sorry, but if the area is not programmable it does not mean it's not software.
When thinking about 'embedded' world, leave the PC world alone. The list of differences is longer than the list of similarities.
Have a point there, but even if the verification is not done by hardware it does not mean it's replaceable (without hardware intrusion). The formal logic would require to show exploitable vulnerability first and there isn't a generic one.
Master Melab said:
The public key that is used to verify the LLB's signature is represented as physical breaks in the silicon.
Click to expand...
Click to collapse
LOL. Sounds like written with blood. Maybe I'm not English native and that's the reason I didn't get it, but could you elaborate (you may go deep without worries) on the method of creating 'physical breaks in the silicon' as it does not seem to be scientific term? It does, however, seem just as a description of a form of 'non-volatile memory'.
What value does the strict lowest level protection policy have when higher level introduce (with increasing probability with each level) vulnerabilities easier to exploit?
Does the Wave's bootloader use RSA, El Gamal, etc.?
Click to expand...
Click to collapse
RSA I've seen.
El Gamal never heard.
etc. not sure...
Maybe if you have some time and you are willing to learn with us. For instance here:
http://forum.xda-developers.com/showpost.php?p=13522665&postcount=50
In Firmware files are many Certs included... few of them seems to have also private parts... but encrypted... example:
EncryptedDevcerttemplateFile
EncryptedPrivKeyFile
According to other Samsung handsets... folder Security is also available on other models... few Certs should be same...
No idea if all Certs are usefull... but maybe fun to train brain.
Best Regards
mijoma said:
Have a point there, but even if the verification is not done by hardware it does not mean it's replaceable (without hardware intrusion).
Click to expand...
Click to collapse
Please, explain.
mijoma said:
LOL. Sounds like written with blood. Maybe I'm not English native and that's the reason I didn't get it, but could you elaborate (you may go deep without worries) on the method of creating 'physical breaks in the silicon' as it does not seem to be scientific term? It does, however, seem just as a description of a form of 'non-volatile memory'.
Click to expand...
Click to collapse
Things like a BIOS or true read only memory have instructions or data encoded into the layout of the circuitry itself. Usually, fuses are either broken or left intact and this may either mean a 1 or a 0, depending on the manufacturers device works.
adfree said:
RSA I've seen.
El Gamal never heard.
etc. not sure...
Maybe if you have some time and you are willing to learn with us. For instance here:
http://forum.xda-developers.com/showpost.php?p=13522665&postcount=50
In Firmware files are many Certs included... few of them seems to have also private parts... but encrypted... example:
EncryptedDevcerttemplateFile
EncryptedPrivKeyFile
According to other Samsung handsets... folder Security is also available on other models... few Certs should be same...
No idea if all Certs are usefull... but maybe fun to train brain.
Best Regards
Click to expand...
Click to collapse
adfree, when I say "etc." I mean "et cetera", which in Latin means "and other things" or "and so forth". El Gamal is another asymmetric cryptosystem that relies on the difficulty of factoring a large composite number, just like RSA.
And thank you for the file.
Hello XDA!
A quick thanks to those reading/interested and I apologize in advance if this belongs in the development section. I don't have permission to post their yet (perhaps with good reason!). After much searching, I've come to the conclusion there is, as yet, no free method of network unlocking the Galaxy Wonder GT-I8150.
I want to find a method to do this, test it, and then automate the process through a shell script and/or batch file. If it doesn't cost too much, I'll even try and make an app for it. I have two reasons for doing this: I own this model of phone (surprise!) and more importantly, I want to expand my portfolio of little computer projects because I want a job in IT, and I want it now.
So this thread will serve as a knowledge base and brainstorming place. Please -anyone with ideas about how to go about this - let me know!
Here's what I'm trying at the moment: based on a similar method used to unlock the HTC Sensation (and some other models), I'm going through the mmcblk virtual partitions after copying them to a .txt file (filetype is binary, .txt is just so my girl's Mac opens them with a text editor). Using a grep command with a regular expression I'm pulling every single 8 character long string of only digits and exporting the result to another txt file.
I then search the mmcblkXpXX file for these 8 long strings one at a time, trying to read through what I can of the binary file for giveaways like "isim_auth_key" or what not.
I started yesterday so I'm only up to mmcblk0p06.
If you have a network unlocked version of this phone, I might end up needing certain files to compare, but I won't ask unless I think I'm onto something.
Finally, if anyone has found an NV_data.bin, bml5 file (or equivalent) for this model, tell me what it's called! Or where I need to extract it from.
Thanks in advance,
GrayedFox
Info
Here are some links to information about unlocking various models of phones, using slightly different methods, for those interested. None apply directly to the gt-i8150 but I'm trying to tweak them just as a starting point.
http://forum.xda-developers.com/showthread.php?t=828534
http://forum.xda-developers.com/showpost.php?p=17148825&postcount=334
http://forum.xda-developers.com/showthread.php?t=1693491
http://forum.xda-developers.com/showthread.php?t=1335548
http://forum.xda-developers.com/showthread.php?t=1064978
Here is some information from my mmcblk0p06 file... wrapped in spoilers.
PERSO: Failure to write: %sPerso Command can be handled only on a provisioned session or when Card is not present on slotmits/perso.txt
[first mention of a person.txt file I've found]
EFS file read successfully [this implies there IS an efs file somewhere…]
EFS: Creating ISN file
EFS store sequence number
EFS: ISN file not present
AMSS\products\7x30\core\securemsm\smetest\test_crypto\src\sectestcipher.c
if anyone knows how to access that perso.txt file listed, please post the linux command here!
I'm afraid to say I'm running out of ideas here I've pulled every single mmcblk file on the phone - on stock rom and on cyanogenmod - looking for some sort of reference to a network unlock key but it's just not there. I even got Vodafone to send me my unlock key and have been searching the files for the exact key but it's no where on the phone.
I've even data dumped each of these files too - with an authenticated and nonauthenticated sim (network unlocked and network locked) sim and searched using a hex editor. I will have to move on to another project soon, but perhaps this will serve as an informing post for some: let it be known, there are absolutely NO references to an unencrypted network unlock key for this model of phone on stock rom.
Not in any of the mmcblkXpXX files (where most unlock keys are found for other phones) - and I've searched hard.
if anyone has further suggestions I'll remain subbed to this thread. Peace.
Probably they save a lock code, and the unclock is calculated with that lock code and IMEI.
GrayedFox said:
I'm afraid to say I'm running out of ideas here I've pulled every single mmcblk file on the phone - on stock rom and on cyanogenmod - looking for some sort of reference to a network unlock key but it's just not there. I even got Vodafone to send me my unlock key and have been searching the files for the exact key but it's no where on the phone.
I've even data dumped each of these files too - with an authenticated and nonauthenticated sim (network unlocked and network locked) sim and searched using a hex editor. I will have to move on to another project soon, but perhaps this will serve as an informing post for some: let it be known, there are absolutely NO references to an unencrypted network unlock key for this model of phone on stock rom.
Not in any of the mmcblkXpXX files (where most unlock keys are found for other phones) - and I've searched hard.
if anyone has further suggestions I'll remain subbed to this thread. Peace.
Click to expand...
Click to collapse
Hello
while searching for sim unlock i found this method for galaxy s4 mini could you check if it work with our wonder device?
here -> http://forum.xda-developers.com/showthread.php?t=1693491
Regards
Help.
I need help unlocking my bootloader, I can type adb devices while the device is powered on & my unique I.D number comes up in cmd, but whenever I boot into bootloader, the device doesn't come up in cmd what gives? All my drivers are up to date & installed correctly, though I get an MTP driver issue, could that be causing this? This is my second M8 (T-Mobile this time), first one was the dev edition s-off & converted to GPe.
You never said what command you used in the bootloader ?
It's :
Fastboot devices (not adb devices)
adb devices for adb wile phone is booted in OS
fastboot devices in fastboot/hboot mode
Oops never mind, another thing - I keep getting an error while trying to submit my code to HTC Dev after getting the identifier token.
EternalAndroid said:
Oops never mind, another thing - I keep getting an error while trying to submit my code to HTC Dev after getting the identifier token.
Click to expand...
Click to collapse
Please state the error if you would [emoji12]
After reading the opening post here, I get the impression that the code you get for the token is more an issue on your side(You messed up somewhere).
That being said, it doesn't help alot saying "I keep getting an error" but you don't tell us what the error is.
Taking a wild guess, it has to do with the actual token. Make sure you don't have any spaces in the selection of the code. Select it with the <<<<< >>>>> included. Do NOT include the <bootloader> parts next to it and again make sure there are NO spaces in the selection.
Comparison pictures of the code how it SHOULD and SHOULD NOT look.
If that is not your problem then give more information as to the error you're receiving. Doesn't help to phone an IT dept for help and you don't tell them what the problem is either, does it? Same here...
jball said:
Please state the error if you would [emoji12]
Click to expand...
Click to collapse
Sorry guys just frustrated & keep forgetting, "error reason token decryption fail (cannot generate result)."
But I think I figured out my issue, so my computer's internet is off right now & I'm trying to do all this from my N5. I'm typing the code on my phone, reading it letter for letter, number for number.
BerndM14 said:
After reading the opening post here, I get the impression that the code you get for the token is more an issue on your side(You messed up somewhere).
That being said, it doesn't help alot saying "I keep getting an error" but you don't tell us what the error is.
Taking a wild guess, it has to do with the actual token. Make sure you don't have any spaces in the selection of the code. Select it with the <<<<< >>>>> included. Do NOT include the <bootloader> parts next to it and again make sure there are NO spaces in the selection.
Comparison pictures of the code how it SHOULD and SHOULD NOT look.
If that is not your problem then give more information as to the error you're receiving. Doesn't help to phone an IT dept for help and you don't tell them what the problem is either, does it? Same here...
Click to expand...
Click to collapse
Oh wow I see
Copy the text to notepad. Copy it to your phone. Open it in your phone using any file manager. Copy and paste .
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
devmihkel said:
For good or for bad NOT everything appears correct, except the running 17.x version... As of now neither the "commercial jailbreak" supports new versions (well yes they were using exactly the same file to start with Also 16.51.x or newer appears to be no go: uconnect-8-4-8-4an-update
EDIT: haven't got 17.09.07 to try, but on 17.11.07 manifest.lua has changed and the last block/ search keyword is "ota_update" instead. Otherwise all the same, image valid after the edit and script.sh gets fired - at least on 16.33.29 that is @HanJ67 Did you actually try to mount installer.iso after the edit and checked /etc/manifest.lua for the end result before?
Click to expand...
Click to collapse
devmihkel said:
Yeah, 2nd attempt is much better as last lua block is correctly terminated and your script might actually run, but unfortunately no successful 17.x runs have been reported so far SWF scripts are not involved in update/jail-breaking run, these ones become relevant only once you are in (and need to enable some app or wifi or navi features etc). Afaik 17.x blocks ethernet dongle usage as well, but let's see if even the USB driver/link gets activated at all?
Click to expand...
Click to collapse
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Do You have an idea how to connect by USB2LAN adapter to uConnect ?
Do You know if there is an UART pins on the mainboard ?
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
Hello, any news about it?
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
sofro1988 said:
Hello, any news about it?
Click to expand...
Click to collapse
I have not had had much time to work on this.
I actually had an idea last week that brought me back to this. I plan to use a custom flash drive to present an unmodified ISO for verification, then swap nand to an identical image that has been he's edited to enable usb Ethernet and add a custom key for ssh access.
I thought to stack a NAND on top of the original on a is flash drive, then breakout the Chip Enable pin to a switch. I've seen this done for with guys modifying game consoles to be able to run modified firmware.
Once the 2nd NAND is in place I will restore an image of the original nand containing the unmodified update, then hex edit the required portions to allow access after updating.
If this method works, I should be able to pass the verification with the original nand chip, then switch it (hopefully there's a big enough window to do this by hand) then present the modified nand before it begins the flash procedure.
Hopefully someone more intimately familiar with the update scripts can verify I'm not missing anything in the process
Tajadela said:
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
Click to expand...
Click to collapse
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
thanks for answer.
I saw an ssh key with the hex editor, but I would like to see exactly what you have replaced.
if it's not too much trouble, it would be interesting to see with some screenshots the changes you've made.
So we could work on two fronts. The idea of the double nand is good, but not very simple to make ...
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
SquithyX said:
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
Click to expand...
Click to collapse
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
martinbogo1 said:
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
Click to expand...
Click to collapse
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
sofro1988 said:
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
I managed to connect with the cisco adapter (usb / ethernet), but I don't know the root password. is the problem at the moment insurmountable ..
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
martinbogo1 said:
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
Click to expand...
Click to collapse
I connected in telnet on a uconnect 6.5 with firmware 15.xx.xx. You can connect to Uconnect with static IP it brings up if no DHCP is offered is: 192.168.6.1
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
after rsa key replaced, do you have recalculate the checksum of UPD file?
have you replaced the first 64 bytes of the file?
thanks
@itsJRod, isn't it that you would like to explain the procedure to replace the RSA key in the swdl file? thank you
Hello,
have you made any progress? I am a bit lost. I put the EU uconnect MY15 to US dodge charger MY16 and Perf Pages were working fine even on 16.16.13, although after upgrade to 17.x (17.46.0.1 right now) I am meeting the problem of expired subscription (which is not possible to have on EU radio).
I am considering basically three solutions:
a) going back to US radio, but modify the language pack/nav/FM frequencies (it is doable, but I do not know how, although I can pay for it relatively less than time invested)
b) downgrade to 16.16.13 - I have no clue how to do it, I tried to put swdl.upd with swdl.iso as and installer.iso with no luck of course.
c) take xlets from KIM2/ of 16.16.13 to KIM23 of 17.46.0.1 secondary.iso - this is probably preferred way but I do not know how to make it to pass ISO validation.
Of course root on uconnect is extremely nice to have but I will be fully satisfied with Perf Pages working again.
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
djmjr77 said:
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
Click to expand...
Click to collapse
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
I created an account just to reply to this and All I have to say is you're literally an absolute life saver. I've been working on this every day for two weeks now, trying every trick people said, trying every USB, every format, every version and nothing ever worked from me. Uconnect support was absolutely no help and it was a lot of back-and-forth finger pointing and no you need to reach out to this person between them and the dealership. Dealership tried to charge me for a Proxy Alignment when I asked to just update my damn radio stuck in this loop.
I have a 2015 Jeep Cherokee 8.4AN VP4 NA Head Unit 68238619AJ. I was updating from 17.11.07 to 18.45.01 and got stuck at the step 11 1% and would get a failed sierra wireless every time and then got in that "bolo update failed" loop..Well to fix it just now all I did was download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in the previous comment and quick format to FAT32 on a 16GB Micro Center USB extracted the files from 16.33.29 to the USB with 7ZIP, plugged in like normal and BOOM it ran the first step restarted and I had a working radio again showing update 18.45.01.
(So i'm assuming you don't have to do the S Byte thing I didn't even mess with it I just used the 16.33.29 to bypass step 11 since that version only has 14 steps and 18.45.01 was already preloaded from attempting before. My navigation still is the wrong address but I don't care about all that just thankful to have my radio back before my wife killed me for trying to update it by myself. )
I hope this helps someone else one day because it took some deep research and hours on hours of forum hoping to finally find the solution. <3
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
Do you have another link to download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe files? I am trying to help a friend of mine they way this helped me. Thank you again for this!