Re: Dumping flash from HTC Desire 510

Yes.

Re: Dumping flash from HTC Desire 510

Wow, if I'm understanding this correctly, the phone would need to support a USB keyboard. How can I verify? I don't think I have an adapter to go from normal USB to micro-USB. Also, I have a development board that has the AT90USB162 Atmel chip on it. I used it a long time ago to run unsigned packages on the PS3, back when it was running firmware 3.21.

It's a clone for the PSGroove I think it was called. Right now, there's no USB header soldered onto it. But I wonder if I can use this development board to do what they're doing with the Ducky. I believe this AT90USB162 is a Teensy clone or a Teensy++ clone.

It's been a while, but I need the source code I think, so I can compile it. I don't remember how I compile it, I think I need to setup a cross-compiler on my Linux box. But I remember with this one, I need to modify the code a little and add a bit so when I press the button on my dev stick, it goes into program mode. I think there was some special modified PSGroove payload I used back then, that added the reset button stuff. Man, I wish I could remember more.

Thanks!

Re: Dumping flash from HTC Desire 510

16.6 hours to enter all 4 digit pins manually with the 30 second time out.

Re: Dumping flash from HTC Desire 510

Well, it is really very hard to believe. PIN is linked with SIM card. You may have locked the phone but it is linked with the phone locking code, not with the SIM card.

Re: Dumping flash from HTC Desire 510

I haven't manually entered them. After 5 attempts I think (maybe 3), it makes me wait 30 seconds. I do have a Teensy clone with an Atmel AT162USB. I want to see if I can program that with the payload for the Rubber Ducky. It might be worth at least trying the 4 digit maybe even 5 digit pins, especially if I don't need to purchase a Rubber Ducky.

I looked into the Z3x and I don't think it can help, but maybe I misunderstood. I looked into a lot of those devices (like the Jiif box or whatever it's called). In fact, the X3x software that I downloaded shows JTAG and eMMC pinouts. But the problem was it doesn't have any pictures for this model. From reading a bunch of threads, the only way people were able to extract the NAND was off-chip. So I kinda ruled out the special boxes.

Re: Dumping flash from HTC Desire 510

Yes, unfortunately, the only ways I could find to unlock the bootloader involved a hard reset of the phone. Thanks though.

Re: Dumping flash from HTC Desire 510

That's freaking insane!!!!! I wonder if he would have a lawsuit that he could win. Maybe I'll start carrying around a baggy of drywall dust on me!

Re: Dumping flash from HTC Desire 510

This is why I thought the PUK could reset the phone PIN. I think the fact that the PIN is missing, I have an infinite number of tries and so long as a SIM isn't entered into the phone, I will never be asked for the PUK. Whereas, if the SIM was in the phone, after 10 attempts or so, even with the correct phone PIN, I'd need the PUK to unlock it.

Stj and I think maybe Diif (I can't remember) know a lot about the phone PIN and the SIM pin and the PUK and how it all works. Until I received this phone, I didn't even know there was a PUK.

I highly doubt it's a 4 digit PIN, but I figured at least it'd be worth a shot. Someone else said that the flash isn't encrypted by default. My wife made the call to the electrician and told him to go ahead with the panel upgrade (he's removing a panel and a subpanel and upgrading us to 200-amp service). Once that's done, I'll have my BGA rework station up and running, and then I can look at off-chip removal using that NAND to SD card adapter that Diif pointed me to. I believe I have the equipment to remove the NAND as it is, but I want to make sure I can put it back on when I'm done. I don't want to give the phone back and be like sorry, couldn't get it, by the way, I broke the phone!

There's some sort of glue around the NAND though. And I'll have to figure out the best way to remove that. It's shiny glue and it looks really hard. Almost like some sort of epoxy that's designed to make removing the NAND in one piece impossible. I hope it's nothing crazy like that.

Re: Dumping flash from HTC Desire 510

I found the code I need to add to the main() function on the Teensy 1.0 clone board (the one with the AT162USB).

There isn't much memory on this device. I wonder how hard it'd be to write some code that would just make it act like a keyboard and loop through the numbers, maybe trying some more common ones first (ie, 1234, 2345, 3456, 4567, 5678, 6789, 7890, 8901, 9012, 2109, 1089, 0987, 9876, 8765, etc).

I could test it on the laptop. Have it enter 5 4-digit numbers, pause for 30 seconds, try continue again....

Re: Dumping flash from HTC Desire 510

AT90USB162, sorry.

Re: Dumping flash from HTC Desire 510

The code to try all the combinations is in the link gootron posted. Although checking it looks the 510 does not support USB HID so the teensy won't work.
I haven't pointed you to a NAND to SD card adapter. I personally don't believe dumping the flash will reveal the PIN. I have an interest in data recovery especially flash. All the videos I've watched of data recovery of any type of flash including eMMC have required dedicated expensive software to make sense of the dump and also hardware to connect to the reader. Micro SD are soldererd by hand but eMMC go in jigs.
If you were to use the top heater on your BGA, every solder joint on that board will be molten.

Re: Dumping flash from HTC Desire 510

It was Goontron that pointed me to the adapter. Sorry. I was just trying to find away to continue working until the BGA rework station got up and running. I don't know how long it's going to take for the electrical, but first he's gotta get permits, do some work, have NYSEG come out, get some code inspector out, and after all that, come back another day to do the stuff inside.

So we don't want every solder joint on that board to be molten, just the BGA chip. I can use the hot air with a special nozzle to remove it (the WHA-900), but how would I reattach it successfully? With BGA components, there's profiles that need to be followed.

For the 3DS I did, I just soldered directly to the eMMC flash and read it in the SD card. I can show you the cable I made. The software though, I was thinking something like binwalk. I don't remember what I did with the data, but I know I did this to downgrade the firmware version.

You have a valid point though, I mean, the way flash data is laid out, I don't think I can just carve the data and look for headers / footers or anything like that. Maybe it's just time to call it quits.

Re: Dumping flash from HTC Desire 510

My BGA station is dark IR, so if I used mine on a phone board I think bad things would happen. When reworking small stuff with hot air, I try and emulate the same kind of profile as when doing BGA rework.

Re: Dumping flash from HTC Desire 510

Found one OPCV200 Desire 510
When I have some free time I'll set pin code as security protection and try to recover some data using Z3X Jtag.

Re: Dumping flash from HTC Desire 510

Notice most are Windows yeah? A Linux boxen would be able to understand the filesystems that Windows needs special software to read, and can even make sense of the partition table, which again, needs compatibility layers for Windows. On Linux, a partition table image "GPT.bin" would help. Otherwise the data you are looking for is on either a Jffs2, FAT (on real early devices), or EXT filesystem.

That specialized software is there because being a Unix/Linux/BSD engineer is hard.


Now: Spork. Are you just trying to unlock the phone for use? If so you can wipe data from fastboot.

Re: Dumping flash from HTC Desire 510

My BGA rework has hot air for the top and bottom, plus some IR for the preheaters. But I don't have a nozzle for the flash chip for the BGA rework station. Just semi-generic nozzles.

Anyway, I actually made some progress. I tried a bunch of stuff and got it so I could go into fastboot. I disabled driver signature in Windows 10 and installed some fastboot drivers or whatever they're called. Fastboot devices showed the phone. Still nothing with ADB. So I start adb with:
adb status-window

and see:
Then I restart the phone, but I click on Recovery. It tries booting into the recovery thing and I hold up the volume UP and PWR button, but I don't think it registered the Volume UP. It restarts and all of a sudden, in Windows, I get access to the MTP device.

I copied everything real quick and then the window disappears.

Guess what I find on it? Child porn. But they're in the thumbnails folder and not real children, they're like CGId or something. Very disgusting though. Not sure what to do now. I made a copy of everything that I could. I highly doubt anything's in there that could help recover the pin.

There's one image of a real girl in her underwear, taking her shirt off. It's in the DCIM\.thumbnails folder. I don't think that's an Android folder though, is it?

There's only a background image in the Pictures folder.

I called the family, even though it's late. I guess they lied a little to me. They said they thought this might be on there. I guess they took the phone to the police to have them search it, but the cops refused, saying too many people had touched the phone and just gave it back, they never said they couldn't get it or anything. They said they just didn't want to say anything to me about it and wanted to wait to see what I found.

Now they said they want me to destroy the phone and everything on it so I don't get in trouble and they want me to delete everything I've recovered now. Even though the pictures are computer generated, I don't see why someone would want these. They're of little kids. It makes me sick to my stomach. I got a little daughter and all I can think was this guy was living in the same town with her. Maybe if she was a bit older, outside playing by herself, he would have kidnaped her? Freaking sickos!

Re: Dumping flash from HTC Desire 510

I can give you the eMMC pinouts for the OPCV200 Desire 510. This is the OPCV100. I think I even posted the pinouts on the first page, thinking the board would be the same, but it's not.

How does that Z3x work? Do you need to hook up to the JTAG TAPs or can you do it all over the USB cable or something? Maybe the 0PCV200 is CDMA and the 0PCV100 is GSM? I also have the JTAG pinouts for the OPCV200, but I think you do as well, if you have the Z3x. They're in the c:\Program Files\Z3X\EasyJTAG\PinoutsJTAG\HTC_Desire_CDMA.jpg file.

I think you might find problems with hooking up to the JTAG interface though. I think the issue is something with the Vcc dropping after so many seconds.

Thanks and please keep me posted on your progress.

Re: Dumping flash from HTC Desire 510

No, they told me he was missing and they thought where he might be could be in a text message, but I guess they wanted me to try and get in and see if there was child porn on there, which there was, well, kinda.

Are all Android flash images mountable on Linux? Because I know not all flash images are. My Rigol DP800 power supply's decrypted firmware is hard to figure out. Granted, that's not a copy of the flash, but the flash is in there. It's weird. Strings like http aren't http. They're stuff like ht~p or something odd. Originally, we thought the decryption algorithm was flawed, but someone else smarter came along and said they believe that's just how it's stored in the flash as raw data.

Essentially, I guess what I'm asking, do all flashes have a popular filesystem, like EXT3 or 4 or FAT, etc, or could it be a proprietary format?

Re: Dumping flash from HTC Desire 510

the DCIM folder is the destination for stuff taken by the camera!
so you may want to check the date on the image and try and find out who she is.
be carefull about your legal situation though - your not supposed to have that personal image, and showing it around could be a problem.

Re: Dumping flash from HTC Desire 510

Yes. To both. Besides assholes like Shitsung (RFS, proprietary) who like to mess with shit, you will find EXTfs, F2FS, EMMC fs, YAFFS2, JFFS, and FAT. All of which are Linux supported. The DATA partition on my Moto G from around the time is EXT4. My latest phone, the current generation Moto G, is also EXT4.