Working to bootrom/bootload unlock playbook? What's your progress?
- I feel you jest. You know how fast QuackQuack types. I just read the posts mostly and try and understand. My help is minimum. Luckily I got a $hitty PB on ebay. I must say, there are a lot of new faces showing up lately. Oh, and according to QuackQuack, I'm a rusty old fart anyway. Not a kid by any means.
thanks!
-paul07-19-13 03:49 AMLike 0 - Hi, I know that I'm bothering you with some stupid details, but is it possible to include some sort of video for doing jtag (I'm saying if there is a part with soldering some resistors or something) - electric circuit schematics doesn't give me any info since I'm not an el. engineer... (probably the rest of us would look at the schematics like into Chinese letters... )
Again, thank you Paul..., what you've been doing is something wonderful and I might say very bold...
cheers.chesmo likes this.07-19-13 03:57 AMLike 1 - yes i will give away all those info on monday..... but remember we still dont have a bootrom/bootloader/OS to go with the jtag. so its like a gun w/o bullets. even if you wipe it? you are in a temporary bricked state because i havent started to build the FOSS bootrom and bootloader and jeroen is making the android OS, unless you want debian! ;-)
thanks!
-paul
Oh, one more thing... I'm good with android, even though that ubuntu looks pretty cool...
cheers.07-19-13 04:02 AMLike 0 -
Forums - OMAP 4 Forum - OMAP
Hello Paul,
I am not sure exactly which document and which section you are referring to, but the boot ROM cannot be reprogrammed.
Thanks and regards,
by this sunday we will know.
and secondly. if he is true.
then? bruteforce ==> reverse engineering the
i think he either went to reading room or i think thats the dead end... it cant be the dead end i am sure. SRAM is too small, to hold bootrom. ;-)
i think TI is goofing up.
sunday we will know it.
thanks!
-paul
Koichiro07-19-13 04:26 AMLike 0 - chaosdivine,
your package arrived. and i am going to open it up. dont loose hope. this is not divide by 0. i have done other devices. i believe i can do it too. cut that long face and smile. i think i can do it. the document says so. i think the guy in TI havent read the HS NDA docs. bootrom is never in the cpu. chespo's device proves it.
its 199% very extremely tough to do. and i believe i can do it. if the cpu fails? we will reroute, brute force = reverse engineering. as of now i am alone. when i go to coreboot channel, whole bunch will join me. this is what we like. kickass challange. we have done it before and we think we can still do it.
thanks for being patient. hope is still not lost.
thanks!
-paulchaosdivine likes this.07-19-13 04:42 AMLike 1 -
Paul,
OK. Now I understood you are talking about x-loader.
I thought you wanted to reprogram boot ROM which is mask ROM.
As you said, x-loader is written in eMMC (or SD card) in most cases.
You can reprogram it without an issue.
I am not sure how cp15 is related to program xloader though.
How did you program the xloader in eMMC at first ?
Thanks and regards,
Koichiro
if we somehow send proper signals we have REAL HOPE for SURE.
what he says if its right? then we are close. ;-)
then we need to extract the encryption key and using aeskeyfind or rsakeyfind. we can find the key and then sign our boot-loader and boot-rom with that key.
aah there might be a single ray of light at the end of the tunnel.
i did present him the arm.com documents. which he cant deny since OMAP4430 HS is built using the arm.com technology.
i think reverse engineering might not be necessary if we find the key and then punch and seal the bootrom with it and the bootloader unlocked. :-D
have faith and have hope.
and keep your fingers crossed.
thanks!
-paul
p.s. this time i am not bluffing, if you thought all this while i did nothing and i bluffed my a$$ out. this time TI (horses mouth) is answering my questions. :-D07-19-13 05:37 AMLike 0 - I'm also reading your conversation from TI support, I also think that he is not telling you everything. Not sure if they even can, but every info that you manage to pull from him is a bless... BTW 27 years old, man you are younger than me... - or did I found another guy with the same name by google... ))
cheers.07-19-13 05:44 AMLike 0 -
and yes i am getting this fishy feeling he is hiding something. ;-) he is unwilling to tell me. but he asked me one thing.
How did you program the xloader in eMMC at first ?
i got a secret hidden clue. and he fished out some information. nice nice. common i know they started to spit and soon they will start to puke. :-D puke all the information out which they been hiding.
thus one thing is solved. if we kick the bootrom out of the emmc NAND we are IN.
and synerworks now do you believe me. now even TI confirmed. the bootrom is inside the emmc SSD and not inside CPU. ;-)
all these while you been arguing. now the information comes stright from the horses mouth. hehehe! muhahahaha! ;-)
thanks!
-paulvlado091 likes this.07-19-13 05:49 AMLike 1 - yeah, I'm reading the conversation. You did place a bug into his ears...
regarding the years, you are little older...
three years older to be precise...
P.S. I think that you didn't have to explain to him that it is about installing other OS on Playbook, who knows what kind of NDA they have with Blackberry, so he might not give you an answer on your last question...07-19-13 06:01 AMLike 0 -
"hey boss this crazy nut has almost rever engineered the entire process! should we help him or should we not. because we have nothing to gain/loss from blackberry/RIM its history. can we unlock the info. :-D"
because this much detailed answer he never expected. and that one liner is the silent secret answer. he knows we reverse engineered it hardware wise. and he is not admitting it. thats about it. else why will he say it in that tone?
How did you program the xloader in eMMC at first ?
there is a deep gravity in that one line. specific one line. i hope you got the point. ;-)
looks like we decoded the process. happy hacking!
thanks!
-paul07-19-13 06:07 AMLike 0 - nice, but again I think (maybe I'm wrong) that you might not mention porting other OS on Playbook. just that you need to fix your "dead" board... I'm dead sure, he would probably give you more information on which would eventually be useful to you. I might be wrong, but if you try to use social engineering to get more info, it would probably be better not to reveal your entire plan...
cheerschesmo and WeAreNotAlone like this.07-19-13 06:14 AMLike 2 - nice, but again I think (maybe I'm wrong) that you might not mention porting other OS on Playbook. just that you need to fix your "dead" board... I'm dead sure, he would probably give you more information on which would eventually be useful to you. I might be wrong, but if you try to use social engineering to get more info, it would probably be better not to reveal your entire plan...
cheers
now?
there can be only one.
i got the info i needed. tha last and final bit of the puzzle and its cross checked and sealed by TI. revealing or not does not matter. so i was right from the starts.
#1. yes it has jtag!
#2. yes bootrom is not inside cpu.
#3. yes it can be reprogrammed.
#4. yes it stored the keys in memory which we can read via aeskeyfind and rsakeyfind
#5. TI doesnt embed keys in the cpu its by RIM in its HQ and then ........ (this is the missing bit, but which is unnecessary)..... ;-) but can make a good story line.
so? its time to hack! eeeeeeeeeeeeeeehawwwwwwwwwwwwwwwwwwwwwwwwwww!
we are now close to liberation. the *nix slogan "live FREE else DIE!" ;-)
thanks!
-paulWeAreNotAlone and vlado091 like this.07-19-13 06:25 AMLike 2 -
one at a time please. first this then everything else. arm docs are generic. so i think others are equally doable. :-D TI did bite the bullet and now finding it hard to chew.
so same applies for other devices. ;-) its a matter of time...... it will also be broken.
(me going greedy, :-D i can take all those devices to GSOC? damn!" then i am 1000% straight access to GSOC!)
but please please please please! patience and singularity.
one at a time.
too many cooks spoils the brooth -> too many devices spoils the concentration. ;-)
thanks!
-paul07-19-13 06:58 AMLike 0 -
thanks!
-paul07-19-13 07:00 AMLike 0 - The first generation Kindle Fire has similar specs to Playbook. If you are successful with your hack of the boot loader, then perhaps this forum would assist you in creating a customized Android ROM:
Kindle Fire Android Development - xda-developers
hmmm. this project is hardware related. codes right now nowhere near the scene for one reason. its not fully complete. you can only build a hut if you have about 150 sqft area and thats been built. what you are asking for is a fortress when the area is still 150 sqft, let me acquire more real estate then everything will fall into pieces. got one board in hand which will allow me to wipe clean the info stored in the CPU after manufactured in china and sent to RIM HQ.
its only 4 KB so, deleting should be done in less than a second.
thats what i will try this sunday.
and if it works? i will release the technique. and this will free up and signature issue. then only work left is build a proper bootrom, bootloader and OS.
if you arent patient not my fault. i lack hardware skills. and my friend comes back in town this sunday. which makes me a paralysed developer.
once its done? everthing else should be as easy as an apple pie. its not insult. its repeated poking with a stick which is not funny. i am too stubborn to feel being insulted. but this hanky panky, do it now makes me wet my pants.
i am working be patient. i am not like RIM who been doing it for 2+ years.
learn to relax.
thanks!
-paulLast edited by the_sleuth; 07-19-13 at 07:37 AM.
07-19-13 07:17 AMLike 0 - Yes, the bootrom can't be edited. I have said this several times. It is write-once memory.
If you are talking about rimboot (which is RIMs xloader): technically it can be edited. Although a method for doing so isn't guaranteed.07-19-13 08:18 AMLike 0 -
changing tones and tunes doesnt help bend facts.
i have shot TI with a question which they are finding hard to answer, because they been asked some some very key questions.
and i asked them right on the face, the bullet has left the gun, TI bit the bullet and now finding it hard to chew. because i gave them the memory mapping and also the arm standards and the on off lock tick tock.
lets see how TI plays this game. because they are right now pretty much trapped in their own trap. ;-)
lets say how they dodge this.
and once again? all your posts whether they are logical or not ends up with a like and thanks. ;-)
thanks!
-pauljeroen_13 likes this.07-19-13 08:23 AMLike 1 - It doesn't mean that it's accessible or usable post-factory. It just means that it was when TI sent it. But we'll assume it is still usable.
Actually it is. And it is write-once memory. Even the public documentation you supposedly read says this. I think you are confusing your terminology. Bootrom != bootloader (I've had to say this several times in this thread).
Bootrom != bootloader
I haven't changed my tune once. I am still saying you are getting your terminology wrong. I have tried to teach you what a bootrom is on IRC and the forums but you still don't listen. Even when that guy (from TI?) tells you.07-19-13 08:54 AMLike 0 - The first generation Kindle Fire has similar specs to Playbook. If you are successful with your hack of the boot loader, then perhaps this forum would assist you in creating a customized Android ROM:
Kindle Fire Android Development - xda-developers
Posted via CB1007-19-13 11:39 AMLike 2 - It doesn't mean that it's accessible or usable post-factory. It just means that it was when TI sent it. But we'll assume it is still usable.
Actually it is. And it is write-once memory. Even the public documentation you supposedly read says this. I think you are confusing your terminology. Bootrom != bootloader (I've had to say this several times in this thread).
Bootrom != bootloader
Private keys are only available on-device for information that requires re-signing. For instance, the NVRam keys are available (and I have them) because that needs to be resigned when it is modified. There are no bootrom or bootloader keys because these are not modified.
Yes, but the keys are not required to read the file. Only to sign it. So obviously they aren't included anywhere on the device.
I haven't changed my tune once. I am still saying you are getting your terminology wrong. I have tried to teach you what a bootrom is on IRC and the forums but you still don't listen. Even when that guy (from TI?) tells you.07-19-13 02:19 PMLike 0 - Wtf why is he banned ?!
Edit: I think this is the reason?
"Illegal Activities - Do not post, sell, link, discuss, or request warez, serials, ROMs, UDID's or illegal copies of intellectual property of others. Discussions regarding hardware or software modifications designed to steal service, such as ESN cloning & phone programming modifications are also forbidden in the forums."
Sent from my HTC Sensation using CB Forums mobile app07-19-13 02:27 PMLike 0
- Forum
- BlackBerry PlayBook Forums
- BlackBerry PlayBook OS
Working to bootrom/bootload unlock playbook? What's your progress?
Similar Threads
-
What should app developer do to keep PB app awake?
By kwelamnp in forum BlackBerry PlayBookReplies: 41Last Post: 11-14-13, 06:41 PM -
How To Back-up 3rd Party Applications on Z10?
By JustfrEe in forum BlackBerry Z10Replies: 4Last Post: 09-06-13, 07:10 PM -
BBM to compete directly with Skype: calls to telephone numbers? (Speculation)
By lorax1284 in forum General BBM ChatReplies: 2Last Post: 07-25-13, 10:33 PM -
Need Developer for Sideloading android app to .bar (can installed mass)
By Nicko Christian in forum Developers LoungeReplies: 5Last Post: 07-25-13, 07:39 PM -
Switch to international character set for SMS!
By Matt Vairy in forum BlackBerry Curve SeriesReplies: 1Last Post: 07-23-13, 09:10 AM
LINK TO POST COPIED TO CLIPBOARD