[17:50] <IOMonster_work> boot chain is this:
[17:50] <IOMonster_work> DBL (on chip) -> PBL (on chip?) -> SBL1 -> SBL2 -> NON-HLOS -> SBL3 -> ABOOT -> Android Kernel
[17:50] <IOMonster_work> each of those steps is sigchecked
[17:50] <IOMonster_work> each partition contains a signature chain
[17:50] <IOMonster_work> so they can also verify who loaded them
[17:50] <IOMonster_work> aboot can verify up the chain as well
[17:51] <zeest> Ah, ok. So first thing we need to bypass is SBL3, correct?
[17:51] <IOMonster_work> sort of
[17:52] <IOMonster_work> sbl3 actually contains a flag
[17:52] <IOMonster_work> that is set in misc
[17:52] <IOMonster_work> that can say "ignore sig of aboot"
[17:52] <zeest> oh
[17:52] <IOMonster_work> then you can mod aboot to your heart's desire
[17:52] <IOMonster_work> the issue is a) finding that flag, and b) if that flag is encrypted... finding out how to make one
[17:52] <zeest> hmmm. Then how do we bypass aboot's verifying process?
[17:52] <IOMonster_work> also, aboot itself contains a flag in misc that can be set to "ignore sig of android"
[17:53] <IOMonster_work> that's the trick
[17:53] <IOMonster_work> you need to decompile it to figure out what it's doing
[17:53] <zeest> ah, so we only really need to modify misc?
[17:53] <zeest> Can't you only decompile into assemly?
[17:56] <IOMonster_work> yep
[17:56] <IOMonster_work> so, from the ASM we need to figure out what's going on
[17:56] <IOMonster_work> ...and that's not my specialty
[17:57] <zeest> Nor mine, I can understand very little.
[17:58] <zeest> So misc is like aboot, not boot, correct? BTW, recovery and boot both have wallpaper on my phone
[17:58] <IOMonster_work> misc is something else
[17:58] <IOMonster_work> misc is like scratch space on the phone
[17:58] <IOMonster_work> it's just storage for the SBLs
[17:58] <IOMonster_work> and modems
[17:59] <zeest> Ah, I meant it can't be unpacked like boot can.
[17:59] <IOMonster_work> nope
[17:59] <IOMonster_work> it's just storage
[17:59] <zeest> ok, so I need to find someone who is good with asm?
[17:59] <IOMonster_work> pretty much
[18:00] <IOMonster_work> but if your bootloader is like ours
[18:00] <IOMonster_work>
#5348883 - Pastie <-- will go a long way
[18:00] <zeest> And give them a decompiled version of misc?
[18:00] <IOMonster_work> misc can't be decompiled
[18:00] <zeest> disassembled* into asm*
[18:02] <IOMonster_work> nope
[18:02] <IOMonster_work> misc isn't asm
[18:02] <IOMonster_work> it's just a big file
[18:02] <IOMonster_work> there's no code in it
[18:02] <zeest> then.. where are the flags? I thought you said in misc?
[18:02] <IOMonster_work> imagine it like a giant config file
[18:02] <IOMonster_work> but with no "unlocked=true" statements
[18:02] <IOMonster_work> just things like 01 00 00 00
[18:02] <IOMonster_work> the flags are in misc
[18:02] <IOMonster_work> but they're not labeled
[18:03] <IOMonster_work> it's just data
[18:03] <zeest> Oh. And boot finds the relevant line number for the data it needs? or...
[18:03] <IOMonster_work> hexdump -C /dev/block/platform/msm_sdcc.1/by-name/misc
[18:03] <IOMonster_work> to see what i mean
[18:03] <IOMonster_work> sort of
[18:03] <IOMonster_work> it uses hex offsets
[18:03] <IOMonster_work> so, it'll look for something at 0x800+4
[18:03] <IOMonster_work> meaning read a 4-byte long int from offset 0x800 in the file
[18:04] <IOMonster_work> which if you convert 0x800 into decimal, it'll tell you how many bytes into the file that is
[18:05] <zeest> hm, ok.
[18:06] <zeest> Any idea how to find this line in aboot? Anything that really gives it away?
[18:07] <IOMonster_work> trust me it requires a lot of skill lol
[18:07] <IOMonster_work> get yourself IDA pro
[18:07] <IOMonster_work> and find someone who knows more than i do on that one
