08-08-13 01:11 PM
135 ... 23456
tools
  1. xsacha's Avatar
    i am sure the RIM guys are laughing at this crazy effort. if the cfp is leaked for playbook then it can save us heaps of effort. this is like reinventing the wheel. :-D
    Of course, as I've said before, we have CFP. It allows you to program the boot and OS partitions and reset QNX boot region.
    07-14-13 10:46 PM
  2. quackquack147's Avatar
    Of course, as I've said before, we have CFP. It allows you to program the boot and OS partitions and reset QNX boot region.
    does it allow you to write the bootrom. rooting post, page 32, describes loads of information. have a look this cfp then need to act as a serial transport. do you understand me?
    if you do then thanks! because it need to be signed by RIM, a bootrom which we have written, and when we inject it, it will accept and load and this will trip the switch and it will melt the efuse inside with either 12v or 5v and then you can never jtag in your entire life. :-D so go read the document well and check the criteria. and also if we can have debug features or can bootloader debug features be turned on.
    thanks!
    -paul
    07-14-13 10:56 PM
  3. xsacha's Avatar
    No, the bootrom is write-once.
    No one can write to it from software, not even RIM.
    That's why if you find an exploit in the code, it would be a permanent exploit. However, seeing as the product is now abandoned, anything is permanent.
    07-15-13 05:04 AM
  4. quackquack147's Avatar
    No, the bootrom is write-once.
    No one can write to it from software, not even RIM.
    That's why if you find an exploit in the code, it would be a permanent exploit. However, seeing as the product is now abandoned, anything is permanent.
    "No one can write to it from software, not even RIM."
    yes they can. there is an on off switch near the vga connector. i may have -2 on both the eyes. but my vision is sharp and it doesnt miss minute details. i think its kindof some debug switch.
    the NS bit is like NX in intel/amd architecture. it doesnt allow malicious code execution. even as root or in god mode. you need to enable the debug mode using that on off switch. ;-)
    i have written in detail and indepth. i have cut short 108+82 =190 pages into 8-10 paragraphs.
    thanks!
    -paul
    07-15-13 05:16 AM
  5. xsacha's Avatar
    Not sure why I bother if you just ignore everything I say and then repeat what I write a few weeks later :P Just trying to help whatever it is you are trying.

    You asked me if CFP can write to the bootrom. The answer is no -- it's not possible (even for RIM).

    No one can write to it [the bootrom] from software, not even RIM.
    yes they can. ... there is an on off switch .. i think its kindof some debug switch... the NS bit is like NX in intel/amd architecture. it doesnt allow malicious code execution. even as root or in god mode. you need to enable the debug mode using that on off switch. ;-)
    I hope you realise this is entirely unrelated to the bootrom. NS bit is for the ARM CPU to, as you said, prevent malicious code in user-space applications.
    Any sort of 'debug switch' would require hardware access as well. It can't be done through software.
    Last edited by xsacha; 07-15-13 at 05:40 AM.
    07-15-13 05:23 AM
  6. quackquack147's Avatar
    Not sure why I bother if you just ignore everything I say and then repeat what I write a few weeks later :P Just trying to help whatever it is you are trying.

    You asked me if CFP can write to the bootrom. The answer is no -- it's not possible (even for RIM).
    i dont know why you disagree with everything. i havent fully tested that on off switch right next to the vgs connector in the right. its clearly marked on-off.
    so it has something very intersting to do. and i dont know it yet. as i need to buy a small switch like that and solder and see what it does with it on and off. :-D
    i am sorry. not even cfp tools can help you. this time i am confirming. i think that switch has something very interesting when it comes to function.
    thanks!
    -paul
    07-15-13 05:33 AM
  7. xsacha's Avatar
    i dont know why you disagree with everything.
    I don't know how you keep getting simple stuff wrong :P Especially when the info is available via Google.

    Just saying you are on the wrong track there. You definitely can't use CFP for that. CFP is only able to send commands to the bootrom to do tasks. Simply put those tasks are: info, load, wipe and diagnostic related commands.
    07-15-13 05:44 AM
  8. quackquack147's Avatar
    I don't know how you keep getting simple stuff wrong :P Especially when the info is available via Google.

    Just saying you are on the wrong track there. You definitely can't use CFP for that. CFP is only able to send commands to the bootrom to do tasks. Simply put those tasks are: info, load, wipe and diagnostic related commands.
    these are info via arm.com or arm holding which makes generic chips. and i need those docs. there are 8 more to read. and there is heck a lof of VHDL or hardware commands i need to pass via jtag. which i will work on this week. ;-) so help me. dump the rom and let me reverse engineer it.
    give it a shot and let me know. and i uploaded a code in rooting post compile and dump the bootrom.bin and upload it. i need to reverse engineer it.... since i dont have the patience to root.
    thanks!
    07-15-13 05:52 AM
  9. xsacha's Avatar
    so help me. dump the rom and let me reverse engineer it.
    No, this is what you should have been doing from Day 1. You need to dump the bootrom with JTAG. Then I can inspect it and see if there's any exploits.
    You have it the wrong way around.
    07-15-13 06:04 AM
  10. quackquack147's Avatar
    No, this is what you should have been doing from Day 1. You need to dump the bootrom with JTAG. Then I can inspect it and see if there's any exploits.
    You have it the wrong way around.
    i can jtag it obviously. but right now i need to wait for my friend who come to my place. and he is right now out of station. so i need to wait for him. in the mean while compile the code and get the damned bootrom. so i can reverse engineer it. there is no point in finding vulnerability. its need the sweet love of reverse engineering.
    thanks!
    -paul
    07-15-13 06:09 AM
  11. xsacha's Avatar
    in the mean while compile the code and get the damned bootrom. so i can reverse engineer it. there is no point in finding vulnerability. its need the sweet love of reverse engineering.
    I'll explain it for you: The 'code' is actually just 3 lines that simply reads the bootrom directly in to a file. It's dead simple. It assumes you have 1) kernel access and 2) read access to the bootrom, which of course we don't. If we did, there wouldn't be any issue. Heck, if we had kernel access there wouldn't be an issue either.

    This is the code you sent me, in its smallest working form:
    FILE* fp = file_open("/boot.rom",O_WR|O_LARGEFILE,0);
    for(int i=0, void __iomem *mem = ioremap(0x40028000, 0xC000);i<0xC000;i++)
    file_write(fp, i, readb(mem + i), 1);

    The only way to get the bootrom would be reading it via JTAG which is what I've been waiting for you to do.
    Last edited by xsacha; 07-15-13 at 06:37 AM.
    07-15-13 06:23 AM
  12. quackquack147's Avatar
    I'll explain it for you: The 'code' is actually just 3 lines that simply reads the bootrom directly in to a file. It's dead simple. It assumes you have 1) kernel access and 2) read access to the bootrom, which of course we don't. If we did, there wouldn't be any issue. Heck, if we had kernel access there wouldn't be an issue either.

    This is the code you sent me, in its smallest working form:
    FILE* fp = file_open("/boot.rom",O_WR|O_LARGEFILE,0);
    for(int i=0, void __iomem *mem = ioremap(0x40028000, 0xC000);i<0xC000;i++)
    file_write(fp, i, readb(mem + i), 1);

    The only way to get the bootrom would be reading it via JTAG which is what I've been waiting for you to do.
    i got it. already. i wanted to know if it compiles. i need to work on it.
    next 2 days, till 18 th 6 pm india standard time. i am jam packed with some personal stuffs.
    thats why i asked you to check if it compiles or not.
    thats about it. and this sunday or monday i will get the jtag ready.
    thanks!
    -paul
    07-15-13 06:44 AM
  13. xsacha's Avatar
    i wanted to know if it compiles. i need to work on it.
    next 2 days, till 18 th 6 pm india standard time. i am jam packed with some personal stuffs.
    thats why i asked you to check if it compiles or not.
    It's a kernel module. You're not listening. It doesn't matter that it compiles.
    I realise you don't understand these unix-related or code-related concepts but put simply: we do not have software read access to the bootrom. You are looking in the wrong area.

    Do you not trust that I know what I am talking about? If so, I won't bother talking.
    07-15-13 06:48 AM
  14. quackquack147's Avatar
    It's a kernel module. You're not listening. It doesn't matter that it compiles.
    I realise you don't understand these unix-related or code-related concepts but put simply: we do not have software read access to the bootrom. You are looking in the wrong area.

    Do you not trust that I know what I am talking about? If so, I won't bother talking.
    i cannot jtag right now. the switch has the debug feature on/off feature. if you must know. ;-)
    my friend has to come and reset the jtag points and then rescan. this sunday only i can jtag or monday. and he is not in station so i cant help with that. his cousin is getting married. so he is out of town.
    so unless that dude comes back i cant move an inch.
    i wanted the code to compile for another reason. will tell it later.
    thanks!
    -paul
    07-15-13 06:57 AM
  15. xsacha's Avatar
    i wanted the code to compile for another reason. will tell it later.
    The only possible reason could be you are trying to extract the bootrom from a generic rooted Linux/Android device which has unrelated boot code.
    That's the only situation where that code is in any way meaningful.
    Even then its usefulness is limited since we already have bootrom dumps from generic (i.e. not customised) OMAP4430 devices.
    07-15-13 07:03 AM
  16. quackquack147's Avatar
    The only possible reason could be you are trying to extract the bootrom from a generic rooted Linux/Android device which has unrelated boot code.
    That's the only situation where that code is in any way meaningful.
    Even then its usefulness is limited since we already have bootrom dumps from generic (i.e. not customised) OMAP4430 devices.
    yes yes yes i understood. i had it for a very special reason.
    i will tell it later when i am done.
    :-D
    not now!
    right now be happy with the news of the debug switch location.;-)
    thanks!
    -paul
    07-15-13 07:08 AM
  17. gen_accident's Avatar
    I'm losing trust. This quackquack (no pun intended) appears to have no idea what he's doing.

    Sorry, "Paul", I'm out.

    Z10-4 .4543 via CB10
    07-15-13 07:11 AM
  18. quackquack147's Avatar
    I'm losing trust. This quackquack (no pun intended) appears to have no idea what he's doing.

    Sorry, "Paul", I'm out.

    Z10-4 .4543 via CB10
    okay no issues. if you pull out. i didnt disclose for one reason. because if you pull the switch to on. then all the 1.8v will be visible and if you pass one wrong jtag command? you toasted your cpu. and also your blackberry. with you pulling out. one goes down. thats about it.
    it was for the safety, because if i have had told? people would have tried it. and result an omap4430 cpu toast.
    see ya and have fun. trust cannot be bought or sold. it builds and a slow process. well anyway. have fun gen_accident.
    thanks!
    -paul

    transcript of the pm i cant disclose more than this.

    Quote Originally Posted by quackquack147
    hi there!
    greetings!
    i had enough of fights. one request. if i provoke others can the post be deleted. since this is irc. and moderators are there. and moderators can delete posts. can my posts be deleted even before it spark off and a fire breaks open?
    i know i dont obey/follow rules. and no developers obey/follow rules except rules or physics chemistry math electronics and i am one of those many developers.
    so sometime a blunt post kicks my temper. and can those posts be moderated and also my blunt posts be also moderated. its takes 2 hands to clap. so i am equally faulty. well 50% atleast! :-D
    thanks!
    -paul
    hi rich,
    greetings!

    thanks for answering and also with the suggestions, point noted.

    i think i found the jtag pins. but i dont wish to disclose now. what should i do? i need to ask a mod. because then i will get a flurry of requests. if i disclose now? i will get 1000's of queries and many users with bricked device. and also one more request. can a mod make an announcement. if i make it doesnt look nice. i dont wish to command users. can a request be made to make my work easy by reading documenting and understanding. many people ask me to make it simeple. i am not so good with that thing.

    can a request be made and some mod handle and head the project where i can dump all the info and some mod or some user who is keen can take up the work of making clear cut simpleton idea of whats going on with rooting. i find all the data scattered and also all info from me also scattered.
    this will be a real help/request. an announcement. will help. people think i will speak too much geekish. but yes i do. so i need this help.
    someone really documenting it and also a step by step method.

    thanks!
    -paul
    Last edited by quackquack147; 07-15-13 at 07:40 AM.
    07-15-13 07:23 AM
  19. Dr_Acula's Avatar
    okay no issues. if you pull out. i didnt disclose for one reason. because if you pull the switch to on. then all the 1.8v will be visible and if you pass one wrong jtag command? you toasted your cpu. and also your blackberry. with you pulling out. one goes down. thats about it.
    it was for the safety, because if i have had told? people would have tried it. and result an omap4430 cpu toast.
    see ya and have fun. trust cannot be bought or sold. it builds and a slow process. well anyway. have fun gen_accident.
    thanks!
    -paul

    transcript of the pm i cant disclose more than this.
    Duck!
    Now people r loosing faith in u.
    Its the right time to show and prove or duckiness.

    Sent from my bullet proof revolver //"="" ````
    07-15-13 09:13 AM
  20. djdragon's Avatar
    Duck!
    Now people r loosing faith in u.
    Its the right time to show and prove or duckiness.
    *grabs popcorn*

    Posted via CB10
    07-15-13 09:23 AM
  21. Dr_Acula's Avatar
    *grabs popcorn*

    Posted via CB10
    Want a drink?

    Sent from my bullet proof revolver //"="" ````
    07-15-13 09:26 AM
  22. quackquack147's Avatar
    Duck!
    Now people r loosing faith in u.
    Its the right time to show and prove or duckiness.

    Sent from my bullet proof revolver™ //"="" ````
    it doesnt matter if someone trusts me or doesnt or looses or gains. BODMAS (brackets of division multiplication addition subtraction), and neither do i care. what matters when i need to disclose my work flow. i normally lips tight sealed till it works. and what matters most is unwarranted arguements. something which is totally unwanted.
    i have a work plan and i execute it flawlessly. and i do my homework well ahead. i first study then i work then i play.
    its some bickering, i told you this before i told that before you never listen to me.
    yes i dont listen because your planning is horrible and your reasoning is unjustified and i dont listen because you havent done your homework.
    let me make this frank and clear. you think xsacha is less talented and i am more talented? No he has years of experience. What doesnt work for him? Or what doesnt lead him to success is ultra improper planning and very poor hind sighted execution and worst of all ego and over confidence. perfect recipe for a disaster.
    having read all these documents and asking irc how to jtag? he could have finished this project by now and i would have started to port coreboot about an year ago or more.
    whats the issue, his blocked vision. and because he cant see, he thinks others also as blind as he is.
    if you find the fault he goes emotional. like as if i have to handle him as my girl friend. "no we go for chinese, no we go italian."
    this is the issue. else he is fine hacker. his lack of concentration paved way for me to come in and gain control. which he could have done ages ago.
    rather than some BS rooting? which doesnt work! he could have spend his time in jtagging and or reading those same docs which i read and ask arm infocenter for the docs and read up and then proceed. neighhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh, he will stick to his annoying neh arrogance. i think this is the attitude which kicks the crack out of my butthole.
    i hope its understood.
    he has been working for years. and i know and i respect him for that. but its his annoying arguement. "I know more than you!" which pisses me off to the core.
    If you want to be heard? Then learn to listen first! and not always i know it all i am kingalingadingdingading.
    thats it i am done with.
    and if people trust me or dont? its their choice and i have nothing to do with their personal choice.
    thanks!
    -paul
    07-15-13 09:30 AM
  23. quackquack147's Avatar
    *grabs popcorn*

    Posted via CB10
    one man's frustration is others cartoon network. ;-)
    thanks!
    -paul
    07-15-13 09:47 AM
  24. quackquack147's Avatar
    Want a drink?

    Sent from my bullet proof revolver™ //"="" ````
    patiala peg on the double w/o rocks or soda! blackdog! thank you!
    thanks!
    -paul
    07-15-13 09:48 AM
  25. quackquack147's Avatar
    -rw-r--r-- 1 testuser testuser 641K Jul 15 21:06 TrustZone_API_3.0_Specification.pdf
    -rw-r--r-- 1 testuser testuser 261K Jul 15 21:00 TrustZone_Hardware_Requirements.pdf
    -rw-r--r-- 1 testuser testuser 983K Jul 15 21:14 TrustZone_Software_API_Specification_2.0.pdf

    finally got the NDA stuffs. Dont ask cant share. this is what we need. thank you!
    thanks!
    -paul
    07-15-13 10:49 AM
135 ... 23456

Similar Threads

  1. German kids never heard of BlackBerry
    By houssamad in forum General BlackBerry News, Discussion & Rumors
    Replies: 36
    Last Post: 07-28-13, 11:59 PM
  2. Problem in screen of blackberry curve 8520
    By codmaster1 in forum BlackBerry Curve Series
    Replies: 1
    Last Post: 07-09-13, 04:01 PM
  3. How to record a voice call on Z10
    By mbamd in forum BlackBerry Z10
    Replies: 5
    Last Post: 07-08-13, 10:00 AM
  4. Battery life after connecting to the computer
    By Thomas_Stiftinger in forum BlackBerry Q10
    Replies: 1
    Last Post: 07-08-13, 07:33 AM
  5. Can anyone confirm if this is possible?
    By yelmonster in forum BlackBerry Z10
    Replies: 2
    Last Post: 07-08-13, 07:08 AM
LINK TO POST COPIED TO CLIPBOARD