06-10-13 09:43 AM
39 12
tools
  1. quackquack147's Avatar
    Hello everyone,
    Greetings!
    This is my first post in this forum. Well anyway lets get to business.
    I got myself 2 64 GB playbook in 2011 december, now i am bored with playbook. I would like to know how can i install free and open source Operating systems.
    a little bit of info about me. i been working with coreboot and openwrt for a long time. and I am okay with using a jtag and a buspirate. and i have decent soldering skills. enough to do soic smd soldering and also learning bga reworking.
    this is my first post and i been reading the mails here. and in one of the post i read there is something called bootrom, iirc by xsacha. can xsacha or someone let me know in details how to solder this chip out of the mobo and also many people told us we can coreboot laptops. and now its been done. and many people told us we cant do squat when it comes to replacing the soic8 chip which is only 2 MB in thinkpad t60 with a higher pin.
    well i removed the 2 Mb and i replaced it with a 4 MB chip and now i am planning to upsize it to 8 MB soic8 flash chip. So if its a flash chip on board it can be done with ease and i heard there is some kind of bootrom chip inside cpu am i right?
    first off i am bored with the playbook OS and blackberry's lack of will power with the bootloader. i do believe in peace and non violence but sometime violence is the only solution. like how i had to mercilessly kiss and kill the 2 MB thinkpad t60 soic8 chip with a higher one. looks like i am ready to dive deep with the blackberry playbook 64 GB board.
    this is sickening and really frustrating. anyway for those who cant believe that thinkpad t60's flash chip cant be upsized here is the proof. flashrom 4 MiB - Pastebin.com
    now i am working currently with t410 and t420 and planning to port coreboot to it. so i guess i have a plenty of time to play with playbook hardware when i meet with a disastrous failure with coreboot. kind of distraction.
    so can someone tell me which is the bootrom chip, is it an electronic chip?
    can we rs232 or serial console and trap the boot log?
    can we jtag into this machine?
    can we wipe clean this device (bootrom)?
    can we use UV to wipe clean the bootrom (be it a chip or be it on the cpu)? i am willing to take the risk.
    i am not a bounty hunter and i am doing this for pure pleasure and adventure and to give blackberry a flipping bird.
    I am planning to run debian wheezy or jessie or sid on this trapped paradise.
    any insight information is needed. and please no negative suggestions like "this will turn into a 500 US$ worth brick." i know the risk i am taking and i am fully aware that i am no longer going to enjoy the blue pill and i am ready to bite the red pill and go to wonderland and would like to see how deep the rabbit hole is.
    can someone here tell me the way to rabbit hole. if no one ready to walk with me? i will walk alone the rabbit hole.
    really sick and stuck in trapped paradise with blackberry's BS!
    thanks
    -paul
    blueberrymerry likes this.
    06-09-13 06:27 PM
  2. diegonei's Avatar
    Welcome to the forums!

    There is no way you can change the OS on the PlayBook. I know you didn't really want to hear it, but that's how it is at this moment.
    06-09-13 06:35 PM
  3. quackquack147's Avatar
    Thanks diegonei,
    you mean you can remove one or more than one chip from the board and then wipe clean everything and then proceed? this cant be! thumb rule of encryption is "it will be broken! (TM)" its just a matter of time. cant we bypass this frikkin rom chip or bootrom chip?
    i havent yet opened my blackberry. its still virgin unlike my thinkpads which are opened and broken and bashed and beaten up with solder and stuffs.
    i agree this is not a one night smash and grab job this is a long and tedious one.
    Since i havent opened my blackberry playbook yet i have no idea and the images are too tiny to look for the chips viz bootrom or et al. if this bootrom is like the dreaded tpm from infeneon then there also has to be a hard reset switch and if everything else fails that is if its a single write chip? then we may have to forcefully remove this chip and place it under an ultraviolet eraser and erase and reprogram this chip.
    i guess i got all the necessary tools to do this job. i am not an electronics engineer but i am into software development. so my knowledge in electronics is ultra minimalistic. may be we are missing something. yes we are. if its a single write on then its an EEPROM which can ONLY be erased using ultra violet light. else we can reprogram this chip.
    secondly, if its digitally signed? then the key has a definite expiry date. if thats the case then the chip needs to be reprogrammed with an upgrade or update in the OS. like how in thinkpad t60 and t410 and t420, lenovo updates the dmi sets. likewise we have only 2 possibility i.e. 0 & 1, 0 being its an single write UV eraseable eeprom else 1 which is it can reprogrammed with out a UV eraser. in that case i got eeprom programmers and also buspirate and other tools like jtag which i been using with openwrt.
    thanks for your and many more feedbacks which are yet to come. and i will personally thank eash and every post no matter how much depressing the answers are.
    time to go stubborn. reason, if its encryption? then it can be cryptanalysed or brute forced. if none of them work? manual reset. i am stubborn and adamant about it.
    thanks for your feedback diegonei. i will wait for more and more information to flow in. because i am not giving up on this bi*ch.
    sorry for my bad english i am from india and english is not my mother tongue.
    -paul
    people pour in more information. i need more information. and also if there is/are any/many hardware engineer can she/he help me locate this frikkin bootrom chip its location latitude and longitude on the system board? thanks again.
    06-09-13 07:05 PM
  4. FF22's Avatar
    You may go to the Rooting Subforum - under the pb OS subforum. Supposedly, it canNOT be done. I don't know if anyone has physically removed/reprogrammed chips or roms or xyz.
    06-09-13 07:42 PM
  5. Kris Simundson's Avatar
    I have PB guru coming in to help once he gets off work

    Posted via CB10
    06-09-13 07:44 PM
  6. tjwplaybook13's Avatar
    You CAN turn a Ferrari into a speed boat. Why you would ever want to is beyond me, but you COULD.

    No one is saying it's IMPOSSIBLE, just that it's not worth the effort by a longshot. It cannot be done reasonably easily, therefore in reality no one is going to bother tearing it open, reprogramming chips, tinkering with the EEPROM, etc...

    And FYI, there is no such thing as a $500 BlackBerry ANYTHING anymore. Hasn't been since a couple years ago.

    So hey, worst that could happen is you'd have a $150 paperweight. Maybe you should just turn it into an Ant Farm instead?!?!
    06-09-13 07:49 PM
  7. SCrid2000's Avatar
    If you replace enough hardware, sure, you can run whatever you want on it lol.

    But as far as decrypting the bootloader, theoretically of course it's possible, but I've never heard of anyone being able to do it. You can certainly try.
    06-09-13 07:59 PM
  8. project_x's Avatar
    If this is really what you want to do, I'd be happy to trade a complete 16gb and a working 16gb motherboard for one of your 64gb.....pm me if u're interested

    Posted via CB10
    06-09-13 08:03 PM
  9. quackquack147's Avatar
    Thank you F2 for the heads up! yes i will start posting as soon as i get enough information and open up my blackberry playbook 64 GB.
    in the mean while i came across this. How to Fix BlackBerry 10 Dev Alpha After Wiping (Solved) | Justudin's Blog
    hmmmm interesting stuff. So indeed the chip is reprogrammable.
    5W's
    W 1st: Who controls it -> as of now blackberry inc.
    W 2nd: what is inside -> as of now blackberry inc only knows whats the secret key its holding inside.
    W 3rd: when is it unlocked -> when blackberry inc wishes a major upgrade or update or a change of expiry date
    W 4th: where is it locates -> blackberry inc knows the detailed technical knowhow about this chip and its location on the system board.
    W 5th: why is it unreachable -> looks like something is masking it. since is reprogrammable blackberry inc is keeping it tucked under its pillow or locked in a uber safe lock.

    now 4 R's
    R 1st: Reading the system board may be of some help.
    R 2nd: Writing or reprogramming requires special technique or instrument or device. This has to be implanted on the system board somewhere.
    R 3rd: aRithmetic looks like is mandatory since bruteforce may be necessary, hashcat? and or many more hash decryption tools.
    R 4th: Reason to wipe using UV if all above R's fails to do the job.

    Now 5 W's and 4 R's can help us get the answer we all are looking for "1 H" or "How".

    Hopefully my insane madness plus other insane mad fellow blackberry clubbers will join and as a united force we may be able to crack it. hello this is crackberry. ;-) lets crack it.

    thanks
    -paul
    06-09-13 08:11 PM
  10. quackquack147's Avatar
    I have PB guru coming in to help once he gets off work

    Posted via CB10
    now looks like the sunday lazyness is over and mundane monday mood is taking over everyone. yes yes yes. i would be more than glad to meet whosoever in order to get this done.
    looking forward to this. and keeping my fingers crossed.
    thanks again.
    -paul
    06-09-13 08:14 PM
  11. Kris Simundson's Avatar
    now looks like the sunday lazyness is over and mundane monday mood is taking over everyone. yes yes yes. i would be more than glad to meet whosoever in order to get this done.
    looking forward to this. and keeping my fingers crossed.
    thanks again.
    -paul
    He's the one who managed to get BB10 on the PB and running

    Posted via CB10
    06-09-13 08:23 PM
  12. quackquack147's Avatar
    You CAN turn a Ferrari into a speed boat. Why you would ever want to is beyond me, but you COULD.

    No one is saying it's IMPOSSIBLE, just that it's not worth the effort by a longshot. It cannot be done reasonably easily, therefore in reality no one is going to bother tearing it open, reprogramming chips, tinkering with the EEPROM, etc...

    And FYI, there is no such thing as a $500 BlackBerry ANYTHING anymore. Hasn't been since a couple years ago.

    So hey, worst that could happen is you'd have a $150 paperweight. Maybe you should just turn it into an Ant Farm instead?!?!
    we can convert anything to anything and vice versa. i.e. we can turn a ferrari into a speed boat or a speed boat into a ferrari. ferrari as a speed boat will need a rudder and propeller and a speed boat as a ferrari will need wheels. we and/or i are not trying to reinvent the wheel. its done deal. we want to modify the wheel and rethread the wheels so we get more grip on the road.
    what i mean by that is? i am here looking for freedom. if i am renting firmware as a service from blackberry i want a few facilities which i should get but which i am not getting. which is why i am pissed off. secondly if we post a FOSS OS into the device then we are no longer tenant we are the real owners. its like live free else die.

    no one bothering to tear it open. i am sorry i am willing to tear it up and open. heat my hot air reflowing gun and blow the smoke off the soldering tip and JUST DO IT!

    I think i did say before in the first post i purchased in dec 2011 or jan 2012 so its warranty is over and the 500 US$ odd something needs to pay me back with interest. which i am not willing to forfeit.

    Worst 150US$ paper weight. i think i did say it already. i am willing to bite the bullet and chew the red pill. because if no one does someone gotta do the dirty job. plus i had enough of this BS from blackberry. its time to give them a swift kick between their legs for FREE! i will GPLised that swift kick between their legs. ;-)

    i am not here to insult or offend you. i am here to take whats mine and claim what i paid for! my playbook and i want to play with it.

    So i hope there is no hard feelings tjwplaybook13. my grudge is against blackberry and not you.
    thanks
    -paul
    Last edited by quackquack147; 06-09-13 at 08:45 PM. Reason: minor corrections
    06-09-13 08:24 PM
  13. quackquack147's Avatar
    If you replace enough hardware, sure, you can run whatever you want on it lol.

    But as far as decrypting the bootloader, theoretically of course it's possible, but I've never heard of anyone being able to do it. You can certainly try.
    i am not sure i am just walking in the dark like everyone else and i am hopefull i will see a faint ray of light somewhere. just being optimistic in this pessimistic world.
    i dont know if i can decrypt the boot loader. i am not sure. i hope they have an infeneon chipset. if its so then its a piece of cake with buspirate. but if its something else? then blackberry is sure to give me a run for my money, here 500 US$ :-D hehe!
    anyway i am looking forward to more information and i am searching left and right and center here and in google for more information.
    i know this has never been done before, but isnt it worth a try?
    thanks SCrid2000
    lets hope against hope. my fingers crossed. before i dive into deep sea i need to have a weather forecast and also need to know where is the nearest shore and a map of the ocean. :-D
    -paul
    06-09-13 08:29 PM
  14. quackquack147's Avatar
    If this is really what you want to do, I'd be happy to trade a complete 16gb and a working 16gb motherboard for one of your 64gb.....pm me if u're interested

    Posted via CB10
    thanks project_x
    thats like great news. i would definitely drop in a PM in a few minutes after i am done with the replying. i am sure i am for sure going to turn a board or two to dust. this happened with me with t60 and x60. i had to order new boards since the 4 MB flash chip upgrade got fooked up once and then it fried the board of thinkpad t60 and thinkpad x60.
    so i guess i will not be overconfident about doing it right in one single attempt. i rather fail once or twice and then get it right on bulls eye the next time after failing twice.
    yes, i did fry the power unit of the t60 and x60 and i had to order a replacemtn board. and now i am planning to implant an atmel at24c128/at24c256 soic8 flash chip. well. its worth the oxygen i am breating.
    thanks a lot for the offer. i am for sure 100% going to ruin a board or two. so if you are sending me devel boards then kindly send me those board which just got a barely working components. so someone who is in dire need of a 16 Gig board can buy/borrow it from you.
    thanks a lot once again.
    -paul
    06-09-13 08:37 PM
  15. quackquack147's Avatar
    He's the one who managed to get BB10 on the PB and running

    Posted via CB10
    i will surely get in touch with the chap who got BB10 working on PB.
    thanks again kris!
    -paul
    06-09-13 08:39 PM
  16. SCrid2000's Avatar
    Definitely worth a try lol.
    I've also heard it floated around that the next version up of the Texas processor is drop in compatible (this is super long time ago information so I may be way off) so you could try that too.
    Linux don't need no 1.5ghz processor, but why not try it?

    And even if worst comes to worst, a playbook ant farm sounds pretty freaking cool to me!

    Side note: you can't turn a speedboat into a ferrari, ferrari is a trademark term for a specific brand of car. You could turn a speedboat into a car, but if you call it a ferrari you might get sued
    06-09-13 08:44 PM
  17. SCrid2000's Avatar
    Also, BB10on playbook has been possible for almost a year, and is a very simple process. It's also nearly completely worthless, as the UI and a lot of other stuff in the OS isn't compatible with the PlayBook.
    06-09-13 08:45 PM
  18. quackquack147's Avatar
    Definitely worth a try lol.
    I've also heard it floated around that the next version up of the Texas processor is drop in compatible (this is super long time ago information so I may be way off) so you could try that too.
    Linux don't need no 1.5ghz processor, but why not try it?

    And even if worst comes to worst, a playbook ant farm sounds pretty freaking cool to me!

    Side note: you can't turn a speedboat into a ferrari, ferrari is a trademark term for a specific brand of car. You could turn a speedboat into a car, but if you call it a ferrari you might get sued
    thanks scrid2000!
    you banged the nail on its head. https://forum.openwrt.org/viewtopic.php?id=43202 i own this cheap pocket mifi and i was bored to death so i started to hack it. and i completed the hack and also i am too lazy to wiki it up. someone who is willing to type for long hours kindly do it for me in the openwrt wiki. i am here to support you with the codes and patch and the technical information.
    did i say i am lazy? i mean i am just a little off color to write so much in wiki when people can read my posts, that doesnt mean i am lazy. ;-)
    you are right linux doesnt need 1.5 ghz of processing power. i have worked with 100 dmips or 100 mhz mips cpu. and it ran smooth and all it demanded was a little more ram and a flash upgrade. which i gave it willingly.
    and playbook as an ant farm sounds cool to me. i would try it if i happen to fry it up. viz wrt54gs v6 wrt54g v5 and netgear dgn1000 ;-)

    ferrari and tm and speed boat. hahaha! excellent. ;-)

    but i like the hd screen and a powerful cpu and overall design and looks and features. i like almost everything the thing which i cant stand will be blackberry inc's stubborn behaviour. since they are stubborn and i am also stubborn leads to two kids having fun blackberry is one and i am the other kid. lets see who blinks first! ;-) wink is not a blink. :-D
    -paul
    06-09-13 08:56 PM
  19. quackquack147's Avatar
    Also, BB10on playbook has been possible for almost a year, and is a very simple process. It's also nearly completely worthless, as the UI and a lot of other stuff in the OS isn't compatible with the PlayBook.
    in short looks like we are both pissed with the procrastination of blackberry inc. terrible indeed. i havent had the luxuary of seeing BB10 on PB but if i am right? Any "Open Source OS" will rock and roll!
    anyway i have a small doubt. does anyone know the debug pins or rs232 or serial or uart or jtag pins on the board? or do i need to manually plug in the debugger and hunt for the debugging pins. omap cpu debugs pins are constant unless BB changes it completely? and if the bootrom is inside the cpu then we are going to have a REAL HARD TIME! because 99% of things about the cpu will be non documented. thanks to TI and BB.
    if the bootrom chip is not on CPU or the CPU is a pristine omap CPU then we can trace the jtag debug pins and perform a complete reset. time to pull the buspirate from its case and make it do some warm up exercise. :-D
    let me know people what you know about the hardware. i am interested in the pins for debugging purpose. looks like the real secret is hidden there. since the bootrom is programmable then the trick is hidden inside the CPU somewhere and it may need a complete ejtag reset. i may be wrong. correct me if i am wrong.
    thanks
    -paul
    06-09-13 09:04 PM
  20. quackquack147's Avatar
    adding info and note for myself and whosoever wishes to root the device.
    OMAP Boot ROM Programming - OMAP 4 Forum - OMAP
    post says its hardwired. and also there is a GP and HS mode. now the question is can the pins be flip flopped? if yes how of no then whats the next option. the info is for ti omap 3630.
    question. it says something about registers. question to self and others, is there a mechanism or a switch by which GP mode is activated and HS mode is disabled.
    am i understanding the post right or am i completely wrong?

    omap3630 != omap4430
    http://www.ti.com/general/docs/lit/g...8&fileType=zip gives detailed register details. If TI puts the RSA key at the time of manufacture on the request of BB then we are out of luck and if TI doesnt put the key at the time of manuf in lots then we are still in luck. if bb buys them in retail then TI will put a static key (i hope), which has to be a static key/constant key if i understand correctly.
    now if the key is static is in omap4430 then its TI's high security RSA key and not BB's and which TI wont give neither BB will give us.
    if thats the situation is like that then what are our options?
    http://www.ti.com/general/docs/lit/g...8&fileType=zip has the register dump tool. now my question will be does TI involve a/some process/mechanism by which they input the key at the time to manufacture? because i will assume when they manufacture that time the chips/dies are too hot to embed any data or are they etched later? if they are etched later can these registers shed some light on WTF is WTF really?
    now again some BS nag, can someone with real cool electronics knowledge and/or working experience knows what these codes apart from some numbers means really.
    because there might be too much information is hidden/stashed inside these registers. i need to give it a little look today. if we can understand the pin switching mode via registers or we can control the registers somehow? then we can go one step closer to our goal. lastly. i really doubt TI will put the key during fabrication since at such high temp nearly 100's and 1000's of degrees of manuf process no data will be retained (inside the chip) i may be wrong. so again my speculation will be something is flip flopping. which i dont know and neither do i understand. people kindly have a look and if you have a solid understanding of registers? do let us know. thanks
    -paul
    06-09-13 10:10 PM
  21. quackquack147's Avatar
    adding more useful information for others and myself.
    tells more about securerom aka bootrom and its details and its security/vulnerability. may be we can run/rerun/reuse the existing exploit and gain the root of the bootrom or something/mechanism which i dont know or perhaps dont understand.
    Bootrom - The iPhone Wiki
    and
    Bootloader Project - OMAPpedia
    scroll down and at the bottom you will see some reference to HS mode and also GP mode. could this be the trick or shed some light? common people help me. ;-)
    sorry for the nag. :-D
    if i understand things correctly? bootrom is the primary bootloader. and it handles its process/subprocesses to the second stage boot loader which can be redboot or uboot etc etc.
    hmmmm time to investigate. project_x i may need one board for playing pretty soon. looks like i got register dumping tool and i got myself buspirate and i need to penetrate deep into this stuff. and find out what it does and what it doesnt.
    i hope this info helps others which is why i am kind of keeping a net log of all the data which i am scavenging.
    thanks
    -paul
    06-09-13 10:20 PM
  22. quackquack147's Avatar
    any one insane here like how i am? here is a very useful document. http://www.ti.com/pdfs/wtbu/OMAP4430...IC_TRM_vAE.zip
    it gives indepth detailed boot process of omap4430. its gigantic. bigger than mount everest. 22.1 MB of zipped pdf file of 5554 pages.
    looks like many sleepless nights reading this doc and many many more sleepless days debugging. if anyone interested? here TI offered us 5554 pages of OMAP4430 documentation. looks like all the intricate details are hidden here and there in this pdf.
    good luck to me. happy reading and mugs and mugs of coffee and tea to keep me awake and "READ THIS FREAKING MANUAL" i guess i will be a slow poster now untill i finish reading it. others can post i will not steal your thunder. kindly update this post with much much much info as you can. thanks.
    -paul
    06-09-13 10:41 PM
  23. Synerworks's Avatar
    The Playbook uses a SOC design which can only be written to the bootrom in-protocol with a valid signed Blackberry image or if the chip is extracted and burned with firmware using a jig to program the device. Not practical to remove a BGA device for the common folk just to write some image and just to be put back into their Playbook.
    06-09-13 10:50 PM
  24. quackquack147's Avatar
    The Playbook uses a SOC design which can only be written to the bootrom in-protocol with a valid signed Blackberry image or if the chip is extracted and burned with firmware using a jig to program the device. Not practical to remove a BGA device for the common folk just to write some image and just to be put back into their Playbook.
    thanks synerworks, i cant thank you since the thank you button went missing. :-D
    yep, its signed. and its a BIA ROM.

    # cd mshield-dk-root-folder
    # ./generate_MLO <<OMAP type>> x-load.bin

    For example, for an ES2.3 OMAP4430 device, use the command:

    # ./generate_MLO OMAP4430 ES2.3 x-load.bin

    i was wondering? if this command has option to pass other parameters. like sign or gpg key or something. if its true then we never ever need to worry again. ;-) poof! BB OS can vanish.
    thanks
    -paul
    06-09-13 11:14 PM
  25. quackquack147's Avatar
    wow! i cant believe could it be this easy and simple. and all these while we missed this fine print. i have explained in detail (i hope, i suck terribly in explaining things) how blackberry locks their bootloader with a signed key. and for a decade it was not unlocked. but now i explained the secret sauce which blackberry uses. now i guess blackberry is no longer as secure as it claimed it is.
    without further delay i will answer my own post. http://forums.crackberry.com/playboo...ml#post8626358
    the process is explained in detail there. hope you guys can make great use of this information. good luck to unlocking the blackberry boot loader. you need MShield Signing tool. its the key tool/ingredient. you can also try the open source options. since bb's omap4430 is in HS (high security) mode you need that tool. its same for nokia n900 and samsung devices. and to my belief its what bb uses in all its devices.
    hahahaha
    muhahahaha we cracked ya blackberry. now the secret is out. but dont celebrate now. because we havent got hold of the tool
    "MShield Signing Tool" you are useless without it.
    so go get it somehow if you want it to unlock.
    mods and admin. you may now close and unlock. and i am done with this post. i will try to help others in other post as much as i can.
    good day to all.
    thanks everyone again for reading and participating.
    best warm regards
    -paul
    06-10-13 12:20 AM
39 12

Similar Threads

  1. Could someone install .451 OS on Storm 2 for me?
    By juelz203 in forum Storm OS Discussion
    Replies: 9
    Last Post: 03-12-10, 01:59 AM
  2. Please shed some light on these Hybrids....
    By oSIDESHOWo in forum Hybrid OS
    Replies: 11
    Last Post: 04-14-09, 12:58 AM
  3. Please shed some light on these Hybrids....
    By oSIDESHOWo in forum BlackBerry Storm
    Replies: 0
    Last Post: 04-13-09, 05:10 PM
  4. Please shed some light
    By cre8tivspirit in forum General BlackBerry Discussion
    Replies: 13
    Last Post: 12-19-08, 08:23 PM
  5. The status light on my curve flashes yet there is no message
    By wizardofodds in forum BlackBerry Curve 83xx
    Replies: 4
    Last Post: 10-19-08, 11:43 AM
LINK TO POST COPIED TO CLIPBOARD