[quackquack147]

I feel you jest. You know how fast QuackQuack types. I just read the posts mostly and try and understand. My help is minimum. Luckily I got a $hitty PB on ebay. I must say, there are a lot of new faces showing up lately. Oh, and according to QuackQuack, I'm a rusty old fart anyway. Not a kid by any means.

you are still rusted. if not old fart. and you are not yet a kid fully. ;-)
thanks!
-paul

[vlado091]

Hi, I know that I'm bothering you with some stupid details, but is it possible to include some sort of video for doing jtag (I'm saying if there is a part with soldering some resistors or something) - electric circuit schematics doesn't give me any info since I'm not an el. engineer... (probably the rest of us would look at the schematics like into Chinese letters... )

Again, thank you Paul..., what you've been doing is something wonderful and I might say very bold...
cheers.

[vlado091]

yes i will give away all those info on monday..... but remember we still dont have a bootrom/bootloader/OS to go with the jtag. so its like a gun w/o bullets. even if you wipe it? you are in a temporary bricked state because i havent started to build the FOSS bootrom and bootloader and jeroen is making the android OS, unless you want debian! ;-)
thanks!
-paul

Oh, one more thing... I'm good with android, even though that ubuntu looks pretty cool...

cheers.

[quackquack147]

Oh, one more thing... I'm good with android, even though that ubuntu looks pretty cool...

cheers.

hold your breathe. there is a small issue.
Forums - OMAP 4 Forum - OMAP

Hello Paul,



I am not sure exactly which document and which section you are referring to, but the boot ROM cannot be reprogrammed.



Thanks and regards,

he says bootrom cannot be edited. but how? when i asked him that he didnt reply. i did put forward all the info. like sram is 4kb and its a WOM. and it stores special information. like register cp15 and bootrom is not stored in cpu but emmc which is there in the TI documents. i really strongly doubt he did miss the point. or he is unaware that the bootrom is stored and kept in emmc, 4 KB cannot hold so much data. i think he is making a mistake.
by this sunday we will know.
and secondly. if he is true.
then? bruteforce ==> reverse engineering the
i think he either went to reading room or i think thats the dead end... it cant be the dead end i am sure. SRAM is too small, to hold bootrom. ;-)
i think TI is goofing up.
sunday we will know it.
thanks!
-paul
Koichiro

[quackquack147]

chaosdivine,
your package arrived. and i am going to open it up. dont loose hope. this is not divide by 0. i have done other devices. i believe i can do it too. cut that long face and smile. i think i can do it. the document says so. i think the guy in TI havent read the HS NDA docs. bootrom is never in the cpu. chespo's device proves it.
its 199% very extremely tough to do. and i believe i can do it. if the cpu fails? we will reroute, brute force = reverse engineering. as of now i am alone. when i go to coreboot channel, whole bunch will join me. this is what we like. kickass challange. we have done it before and we think we can still do it.
thanks for being patient. hope is still not lost.
thanks!
-paul

[vlado091]

fck, we are screwed now...
even if you fail Paul, I'm grateful what you did so far...

[quackquack147]

fck, we are screwed now...
even if you fail Paul, I'm grateful what you did so far...

i havent yet failed. where physics fails math passes. wait till this sunday when i try to reprogram chespo's blackberry playbook device board. TI engineer is definitely hiding some information. because when i am asking him specific information he goes and says yes.

Paul,



OK. Now I understood you are talking about x-loader.

I thought you wanted to reprogram boot ROM which is mask ROM.



As you said, x-loader is written in eMMC (or SD card) in most cases.

You can reprogram it without an issue.

I am not sure how cp15 is related to program xloader though.



How did you program the xloader in eMMC at first ?



Thanks and regards,

Koichiro

see there is hope.
if we somehow send proper signals we have REAL HOPE for SURE.
what he says if its right? then we are close. ;-)
then we need to extract the encryption key and using aeskeyfind or rsakeyfind. we can find the key and then sign our boot-loader and boot-rom with that key.
aah there might be a single ray of light at the end of the tunnel.
i did present him the arm.com documents. which he cant deny since OMAP4430 HS is built using the arm.com technology.
i think reverse engineering might not be necessary if we find the key and then punch and seal the bootrom with it and the bootloader unlocked. :-D
have faith and have hope.
and keep your fingers crossed.
thanks!
-paul

p.s. this time i am not bluffing, if you thought all this while i did nothing and i bluffed my a$$ out. this time TI (horses mouth) is answering my questions. :-D

[vlado091]

I'm also reading your conversation from TI support, I also think that he is not telling you everything. Not sure if they even can, but every info that you manage to pull from him is a bless... BTW 27 years old, man you are younger than me... - or did I found another guy with the same name by google... ))

cheers.

[quackquack147]

I'm also reading your conversation from TI support, I also think that he is not telling you everything. Not sure if they even can, but every info that you manage to pull from him is a bless... BTW 27 years old, man you are younger than me...

cheers.

i am 31!
and yes i am getting this fishy feeling he is hiding something. ;-) he is unwilling to tell me. but he asked me one thing.

How did you program the xloader in eMMC at first ?

-> hehehehehehe.
i got a secret hidden clue. and he fished out some information. nice nice. common i know they started to spit and soon they will start to puke. :-D puke all the information out which they been hiding.
thus one thing is solved. if we kick the bootrom out of the emmc NAND we are IN.
and synerworks now do you believe me. now even TI confirmed. the bootrom is inside the emmc SSD and not inside CPU. ;-)
all these while you been arguing. now the information comes stright from the horses mouth. hehehe! muhahahaha! ;-)
thanks!
-paul

[vlado091]

yeah, I'm reading the conversation. You did place a bug into his ears...
regarding the years, you are little older...
three years older to be precise...

P.S. I think that you didn't have to explain to him that it is about installing other OS on Playbook, who knows what kind of NDA they have with Blackberry, so he might not give you an answer on your last question...

[quackquack147]

yeah, I'm reading the conversation. You did place a bug into his ears...
regarding the years, you are little older...
three years older to be precise...

he is gonna ask his boss now ->
"hey boss this crazy nut has almost rever engineered the entire process! should we help him or should we not. because we have nothing to gain/loss from blackberry/RIM its history. can we unlock the info. :-D"
because this much detailed answer he never expected. and that one liner is the silent secret answer. he knows we reverse engineered it hardware wise. and he is not admitting it. thats about it. else why will he say it in that tone?

How did you program the xloader in eMMC at first ?

there is a deep gravity in that one line. specific one line. i hope you got the point. ;-)

looks like we decoded the process. happy hacking!

thanks!
-paul

[vlado091]

nice, but again I think (maybe I'm wrong) that you might not mention porting other OS on Playbook. just that you need to fix your "dead" board... I'm dead sure, he would probably give you more information on which would eventually be useful to you. I might be wrong, but if you try to use social engineering to get more info, it would probably be better not to reveal your entire plan...

cheers

[quackquack147]

nice, but again I think (maybe I'm wrong) that you might not mention porting other OS on Playbook. just that you need to fix your "dead" board... I'm dead sure, he would probably give you more information on which would eventually be useful to you. I might be wrong, but if you try to use social engineering to get more info, it would probably be better not to reveal your entire plan...

cheers

yes vlado, you are right i did ask him that. can i rip the chip out and put a new chip and reprogram it. this is a hard swallow for him. because whatever he gives will be really sexy. and he will take his own sweet time. i posted this thread on 14 th july. and i been patiently waiting. and here comes the final answer now. and i did tell him that the NAND is dead. and OS? he knows it for sure. once i am in. Blackberry OS is out. revealing or not doesnt matter they are in the business for long. they know by the walk who the F is WTF! ;-)
now?
there can be only one.

i got the info i needed. tha last and final bit of the puzzle and its cross checked and sealed by TI. revealing or not does not matter. so i was right from the starts.
#1. yes it has jtag!
#2. yes bootrom is not inside cpu.
#3. yes it can be reprogrammed.
#4. yes it stored the keys in memory which we can read via aeskeyfind and rsakeyfind
#5. TI doesnt embed keys in the cpu its by RIM in its HQ and then ........ (this is the missing bit, but which is unnecessary)..... ;-) but can make a good story line.

so? its time to hack! eeeeeeeeeeeeeeehawwwwwwwwwwwwwwwwwwwwwwwwwww!

we are now close to liberation. the *nix slogan "live FREE else DIE!" ;-)

thanks!
-paul

[vlado091]

I love your spirit... there is no bit of pessimism in it, only optimism.
way da go Paul...

cheers

[vlado091]

This one make me laugh... Once I heard some guy/friend say: "If someone has strong "will" to do something, for instance: hack into something, it will find his way to it, whether you like it or not..." Funny thing, you reminded me of that...

[vlado091]

as he said in the posts above, CRACKEN will be released on monday..., but only on a short leash till bootrom, bootloader and android port is finnished...

P.S. it looks like Christmas will come earlier this year thanks to Paul...

[quackquack147]

I find this only true on Playbook =)) Z10/Q10/Q5/A10 is a different matter altogether though.

Please... RELEASE THE D*** KRAKEN!

dear sir,
one at a time please. first this then everything else. arm docs are generic. so i think others are equally doable. :-D TI did bite the bullet and now finding it hard to chew.
so same applies for other devices. ;-) its a matter of time...... it will also be broken.
(me going greedy, :-D i can take all those devices to GSOC? damn!" then i am 1000% straight access to GSOC!)
but please please please please! patience and singularity.
one at a time.
too many cooks spoils the brooth -> too many devices spoils the concentration. ;-)
thanks!
-paul

[quackquack147]

as he said in the posts above, CRACKEN will be released on monday..., but only on a short leash till bootrom, bootloader and android port is finnished...

P.S. it looks like Christmas will come earlier this year thanks to Paul...

i guess so. thanks to heins! if he had not been "THIS BONEHEAD" you all would have had dark cold siberian winters. :-D
thanks!
-paul

[the_sleuth]

The first generation Kindle Fire has similar specs to Playbook. If you are successful with your hack of the boot loader, then perhaps this forum would assist you in creating a customized Android ROM:
Kindle Fire Android Development - xda-developers

hmmm. this project is hardware related. codes right now nowhere near the scene for one reason. its not fully complete. you can only build a hut if you have about 150 sqft area and thats been built. what you are asking for is a fortress when the area is still 150 sqft, let me acquire more real estate then everything will fall into pieces. got one board in hand which will allow me to wipe clean the info stored in the CPU after manufactured in china and sent to RIM HQ.
its only 4 KB so, deleting should be done in less than a second.
thats what i will try this sunday.
and if it works? i will release the technique. and this will free up and signature issue. then only work left is build a proper bootrom, bootloader and OS.
if you arent patient not my fault. i lack hardware skills. and my friend comes back in town this sunday. which makes me a paralysed developer.
once its done? everthing else should be as easy as an apple pie. its not insult. its repeated poking with a stick which is not funny. i am too stubborn to feel being insulted. but this hanky panky, do it now makes me wet my pants.
i am working be patient. i am not like RIM who been doing it for 2+ years.
learn to relax.
thanks!
-paul

[xsacha]

he says bootrom cannot be edited. but how?

Yes, the bootrom can't be edited. I have said this several times. It is write-once memory.

If you are talking about rimboot (which is RIMs xloader): technically it can be edited. Although a method for doing so isn't guaranteed.

[quackquack147]

Yes, the bootrom can't be edited. I have said this several times.
You are referring to the xloader instead.

you never said it. but thanks for the self-contradiction.
changing tones and tunes doesnt help bend facts.
i have shot TI with a question which they are finding hard to answer, because they been asked some some very key questions.
and i asked them right on the face, the bullet has left the gun, TI bit the bullet and now finding it hard to chew. because i gave them the memory mapping and also the arm standards and the on off lock tick tock.
lets see how TI plays this game. because they are right now pretty much trapped in their own trap. ;-)
lets say how they dodge this.
and once again? all your posts whether they are logical or not ends up with a like and thanks. ;-)
thanks!
-paul

[xsacha]

#1. yes it has jtag!

It doesn't mean that it's accessible or usable post-factory. It just means that it was when TI sent it. But we'll assume it is still usable.

#2. yes bootrom is not inside cpu.

Actually it is. And it is write-once memory. Even the public documentation you supposedly read says this. I think you are confusing your terminology. Bootrom != bootloader (I've had to say this several times in this thread).

#3. yes it can be reprogrammed.

Bootrom != bootloader

#4. yes it stored the keys in memory which we can read via aeskeyfind and rsakeyfind

Private keys are only available on-device for information that requires re-signing. For instance, the NVRam keys are available (and I have them) because that needs to be resigned when it is modified. There are no bootrom or bootloader keys because these are not modified.

#5. TI doesnt embed keys in the cpu its by RIM in its HQ and then ........ (this is the missing bit, but which is unnecessary)..... ;-) but can make a good story line.

Yes, but the keys are not required to read the file. Only to sign it. So obviously they aren't included anywhere on the device.

you never said it. but thanks for the self-contradiction.
changing tones and tunes doesnt help bend facts.

I haven't changed my tune once. I am still saying you are getting your terminology wrong. I have tried to teach you what a bootrom is on IRC and the forums but you still don't listen. Even when that guy (from TI?) tells you.

[WhiteSpir1t]

The first generation Kindle Fire has similar specs to Playbook. If you are successful with your hack of the boot loader, then perhaps this forum would assist you in creating a customized Android ROM:
Kindle Fire Android Development - xda-developers

Xda has many things on rooting. I don't even think they're aware this is all happening in this thread.

Posted via CB10

[bsdnix]

It doesn't mean that it's accessible or usable post-factory. It just means that it was when TI sent it. But we'll assume it is still usable.
Actually it is. And it is write-once memory. Even the public documentation you supposedly read says this. I think you are confusing your terminology. Bootrom != bootloader (I've had to say this several times in this thread).
Bootrom != bootloader
Private keys are only available on-device for information that requires re-signing. For instance, the NVRam keys are available (and I have them) because that needs to be resigned when it is modified. There are no bootrom or bootloader keys because these are not modified.
Yes, but the keys are not required to read the file. Only to sign it. So obviously they aren't included anywhere on the device.


I haven't changed my tune once. I am still saying you are getting your terminology wrong. I have tried to teach you what a bootrom is on IRC and the forums but you still don't listen. Even when that guy (from TI?) tells you.

What are you trying to say, that this device cannot be unlocked?

[jeroen_13]

Wtf why is he banned ?!

Edit: I think this is the reason?

"Illegal Activities - Do not post, sell, link, discuss, or request warez, serials, ROMs, UDID's or illegal copies of intellectual property of others. Discussions regarding hardware or software modifications designed to steal service, such as ESN cloning & phone programming modifications are also forbidden in the forums."

Sent from my HTC Sensation using CB Forums mobile app