Thank you to the guys at HEGE supporting Badcaps [ HEGE ] [ HEGE DEX Chart ]
Announcement
Collapse
No announcement yet.
Dumping flash from HTC Desire 510
Collapse
X
-
Re: Dumping flash from HTC Desire 510
Originally posted by goontron View PostI personally would go this route.... https://forums.hak5.org/index.php?/t...e-4-digit-pin/
And if you can't get it to work on the device, even if it is encrypted by a pin, once you dump the eMMC it will only take 6561 digit combos to crack. My core i3 averages about 1000 passwords per second with everything running, so with that and overhead it should take around 77s to crack on my laptop.
It's a clone for the PSGroove I think it was called. Right now, there's no USB header soldered onto it. But I wonder if I can use this development board to do what they're doing with the Ducky. I believe this AT90USB162 is a Teensy clone or a Teensy++ clone.
It's been a while, but I need the source code I think, so I can compile it. I don't remember how I compile it, I think I need to setup a cross-compiler on my Linux box. But I remember with this one, I need to modify the code a little and add a bit so when I press the button on my dev stick, it goes into program mode. I think there was some special modified PSGroove payload I used back then, that added the reset button stuff. Man, I wish I could remember more.
Thanks!-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
Comment
-
Re: Dumping flash from HTC Desire 510
Originally posted by diif View PostThat's providing the pin was 4 digits and Spork has a Rubber Ducky/Teensy.
If it is 4 digits Spork would have been done by now trying them manually.
Quicker to buy one of the boxes that plugs into the phone/PC that can unlock pins and reset patterns Z3x, Volcano etc.
I looked into the Z3x and I don't think it can help, but maybe I misunderstood. I looked into a lot of those devices (like the Jiif box or whatever it's called). In fact, the X3x software that I downloaded shows JTAG and eMMC pinouts. But the problem was it doesn't have any pictures for this model. From reading a bunch of threads, the only way people were able to extract the NAND was off-chip. So I kinda ruled out the special boxes.-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
Comment
-
Re: Dumping flash from HTC Desire 510
Originally posted by gabiz_ro View PostDon't try to unlock bootloader.
After bootloader unlock HTC perform a hard reset and everything is erased.-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
Comment
-
Re: Dumping flash from HTC Desire 510
Originally posted by goontron View PostAt least you aren't this guy spork. http://rare.us/rare-politics/rare-li...t-was-cocaine/-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
Comment
-
Re: Dumping flash from HTC Desire 510
Originally posted by Jane View PostWell, it is really very hard to believe. PIN is linked with SIM card. You may have locked the phone but it is linked with the phone locking code, not with the SIM card.
Stj and I think maybe Diif (I can't remember) know a lot about the phone PIN and the SIM pin and the PUK and how it all works. Until I received this phone, I didn't even know there was a PUK.
I highly doubt it's a 4 digit PIN, but I figured at least it'd be worth a shot. Someone else said that the flash isn't encrypted by default. My wife made the call to the electrician and told him to go ahead with the panel upgrade (he's removing a panel and a subpanel and upgrading us to 200-amp service). Once that's done, I'll have my BGA rework station up and running, and then I can look at off-chip removal using that NAND to SD card adapter that Diif pointed me to. I believe I have the equipment to remove the NAND as it is, but I want to make sure I can put it back on when I'm done. I don't want to give the phone back and be like sorry, couldn't get it, by the way, I broke the phone!
There's some sort of glue around the NAND though. And I'll have to figure out the best way to remove that. It's shiny glue and it looks really hard. Almost like some sort of epoxy that's designed to make removing the NAND in one piece impossible. I hope it's nothing crazy like that.-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
Comment
-
Re: Dumping flash from HTC Desire 510
I found the code I need to add to the main() function on the Teensy 1.0 clone board (the one with the AT162USB).
Code:/* Prototype declaration. */ void (*start_bootloader)(void)=(void(*)(void))0x1800; /* add after main() and after the for(;;) loop to allow */ /* the device to go into DFU mode. */ if((PIND & (1<<7))==0) { TIMSK1=0;//Disable timer interrupt USB_ShutDown(); //Shutdown USB _delay_ms(100); //Wait (*start_bootloader)(); }
I could test it on the laptop. Have it enter 5 4-digit numbers, pause for 30 seconds, try continue again....-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
Comment
-
Re: Dumping flash from HTC Desire 510
The code to try all the combinations is in the link gootron posted. Although checking it looks the 510 does not support USB HID so the teensy won't work.
I haven't pointed you to a NAND to SD card adapter. I personally don't believe dumping the flash will reveal the PIN. I have an interest in data recovery especially flash. All the videos I've watched of data recovery of any type of flash including eMMC have required dedicated expensive software to make sense of the dump and also hardware to connect to the reader. Micro SD are soldererd by hand but eMMC go in jigs.
If you were to use the top heater on your BGA, every solder joint on that board will be molten.
Comment
-
Re: Dumping flash from HTC Desire 510
Originally posted by diif View PostThe code to try all the combinations is in the link gootron posted. Although checking it looks the 510 does not support USB HID so the teensy won't work.
I haven't pointed you to a NAND to SD card adapter. I personally don't believe dumping the flash will reveal the PIN. I have an interest in data recovery especially flash. All the videos I've watched of data recovery of any type of flash including eMMC have required dedicated expensive software to make sense of the dump and also hardware to connect to the reader. Micro SD are soldererd by hand but eMMC go in jigs.
If you were to use the top heater on your BGA, every solder joint on that board will be molten.
So we don't want every solder joint on that board to be molten, just the BGA chip. I can use the hot air with a special nozzle to remove it (the WHA-900), but how would I reattach it successfully? With BGA components, there's profiles that need to be followed.
For the 3DS I did, I just soldered directly to the eMMC flash and read it in the SD card. I can show you the cable I made. The software though, I was thinking something like binwalk. I don't remember what I did with the data, but I know I did this to downgrade the firmware version.
You have a valid point though, I mean, the way flash data is laid out, I don't think I can just carve the data and look for headers / footers or anything like that. Maybe it's just time to call it quits.Last edited by Spork Schivago; 07-03-2017, 06:46 PM.-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
Comment
-
Re: Dumping flash from HTC Desire 510
Originally posted by diif View PostAll the videos I've watched of data recovery of any type of flash including eMMC have required dedicated expensive software to make sense of the dump
That specialized software is there because being a Unix/Linux/BSD engineer is hard.
Now: Spork. Are you just trying to unlock the phone for use? If so you can wipe data from fastboot.Last edited by goontron; 07-03-2017, 08:51 PM.Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....
"Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me
Excuse me while i do something dangerous
You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.
Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore
Follow the white rabbit.
Comment
-
Re: Dumping flash from HTC Desire 510
Originally posted by diif View PostMy BGA station is dark IR, so if I used mine on a phone board I think bad things would happen. When reworking small stuff with hot air, I try and emulate the same kind of profile as when doing BGA rework.
Anyway, I actually made some progress. I tried a bunch of stuff and got it so I could go into fastboot. I disabled driver signature in Windows 10 and installed some fastboot drivers or whatever they're called. Fastboot devices showed the phone. Still nothing with ADB. So I start adb with:
adb status-window
and see:
Code:[2J[2HAndroid Debug Bridge State: unknown
I copied everything real quick and then the window disappears.
Guess what I find on it? Child porn. But they're in the thumbnails folder and not real children, they're like CGId or something. Very disgusting though. Not sure what to do now. I made a copy of everything that I could. I highly doubt anything's in there that could help recover the pin.
There's one image of a real girl in her underwear, taking her shirt off. It's in the DCIM\.thumbnails folder. I don't think that's an Android folder though, is it?
There's only a background image in the Pictures folder.
I called the family, even though it's late. I guess they lied a little to me. They said they thought this might be on there. I guess they took the phone to the police to have them search it, but the cops refused, saying too many people had touched the phone and just gave it back, they never said they couldn't get it or anything. They said they just didn't want to say anything to me about it and wanted to wait to see what I found.
Now they said they want me to destroy the phone and everything on it so I don't get in trouble and they want me to delete everything I've recovered now. Even though the pictures are computer generated, I don't see why someone would want these. They're of little kids. It makes me sick to my stomach. I got a little daughter and all I can think was this guy was living in the same town with her. Maybe if she was a bit older, outside playing by herself, he would have kidnaped her? Freaking sickos!-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
Comment
-
Re: Dumping flash from HTC Desire 510
Originally posted by gabiz_ro View PostFound one OPCV200 Desire 510
When I have some free time I'll set pin code as security protection and try to recover some data using Z3X Jtag.
How does that Z3x work? Do you need to hook up to the JTAG TAPs or can you do it all over the USB cable or something? Maybe the 0PCV200 is CDMA and the 0PCV100 is GSM? I also have the JTAG pinouts for the OPCV200, but I think you do as well, if you have the Z3x. They're in the c:\Program Files\Z3X\EasyJTAG\PinoutsJTAG\HTC_Desire_CDMA.jpg file.
I think you might find problems with hooking up to the JTAG interface though. I think the issue is something with the Vcc dropping after so many seconds.
Thanks and please keep me posted on your progress.-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
Comment
-
Re: Dumping flash from HTC Desire 510
Originally posted by goontron View PostNotice most are Windows yeah? A Linux boxen would be able to understand the filesystems that Windows needs special software to read, and can even make sense of the partition table, which again, needs compatibility layers for Windows. On Linux, a partition table image "GPT.bin" would help. Otherwise the data you are looking for is on either a Jffs2, FAT (on real early devices), or EXT filesystem.
That specialized software is there because being a Unix/Linux/BSD engineer is hard.
Now: Spork. Are you just trying to unlock the phone for use? If so you can wipe data from fastboot.
Are all Android flash images mountable on Linux? Because I know not all flash images are. My Rigol DP800 power supply's decrypted firmware is hard to figure out. Granted, that's not a copy of the flash, but the flash is in there. It's weird. Strings like http aren't http. They're stuff like ht~p or something odd. Originally, we thought the decryption algorithm was flawed, but someone else smarter came along and said they believe that's just how it's stored in the flash as raw data.
Essentially, I guess what I'm asking, do all flashes have a popular filesystem, like EXT3 or 4 or FAT, etc, or could it be a proprietary format?-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
Comment
-
Re: Dumping flash from HTC Desire 510
the DCIM folder is the destination for stuff taken by the camera!
so you may want to check the date on the image and try and find out who she is.
be carefull about your legal situation though - your not supposed to have that personal image, and showing it around could be a problem.
Comment
-
Re: Dumping flash from HTC Desire 510
Originally posted by Spork Schivago View PostNo, they told me he was missing and they thought where he might be could be in a text message, but I guess they wanted me to try and get in and see if there was child porn on there, which there was, well, kinda.
Are all Android flash images mountable on Linux? Because I know not all flash images are. My Rigol DP800 power supply's decrypted firmware is hard to figure out. Granted, that's not a copy of the flash, but the flash is in there. It's weird. Strings like http aren't http. They're stuff like ht~p or something odd. Originally, we thought the decryption algorithm was flawed, but someone else smarter came along and said they believe that's just how it's stored in the flash as raw data.
Essentially, I guess what I'm asking, do all flashes have a popular filesystem, like EXT3 or 4 or FAT, etc, or could it be a proprietary format?Last edited by goontron; 07-03-2017, 10:51 PM.Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....
"Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me
Excuse me while i do something dangerous
You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.
Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore
Follow the white rabbit.
Comment
Comment