Dumping flash from HTC Desire 510
Collapse
X
-
-
Re: Dumping flash from HTC Desire 510
I personally would go this route.... https://forums.hak5.org/index.php?/t...e-4-digit-pin/
And if you can't get it to work on the device, even if it is encrypted by a pin, once you dump the eMMC it will only take 6561 digit combos to crack. My core i3 averages about 1000 passwords per second with everything running, so with that and overhead it should take around 77s to crack on my laptop.
It's a clone for the PSGroove I think it was called. Right now, there's no USB header soldered onto it. But I wonder if I can use this development board to do what they're doing with the Ducky. I believe this AT90USB162 is a Teensy clone or a Teensy++ clone.
It's been a while, but I need the source code I think, so I can compile it. I don't remember how I compile it, I think I need to setup a cross-compiler on my Linux box. But I remember with this one, I need to modify the code a little and add a bit so when I press the button on my dev stick, it goes into program mode. I think there was some special modified PSGroove payload I used back then, that added the reset button stuff. Man, I wish I could remember more.
Thanks!-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
Re: Dumping flash from HTC Desire 510
I looked into the Z3x and I don't think it can help, but maybe I misunderstood. I looked into a lot of those devices (like the Jiif box or whatever it's called). In fact, the X3x software that I downloaded shows JTAG and eMMC pinouts. But the problem was it doesn't have any pictures for this model. From reading a bunch of threads, the only way people were able to extract the NAND was off-chip. So I kinda ruled out the special boxes.-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
Re: Dumping flash from HTC Desire 510
At least you aren't this guy spork. http://rare.us/rare-politics/rare-li...t-was-cocaine/-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
Re: Dumping flash from HTC Desire 510
Stj and I think maybe Diif (I can't remember) know a lot about the phone PIN and the SIM pin and the PUK and how it all works. Until I received this phone, I didn't even know there was a PUK.
I highly doubt it's a 4 digit PIN, but I figured at least it'd be worth a shot. Someone else said that the flash isn't encrypted by default. My wife made the call to the electrician and told him to go ahead with the panel upgrade (he's removing a panel and a subpanel and upgrading us to 200-amp service). Once that's done, I'll have my BGA rework station up and running, and then I can look at off-chip removal using that NAND to SD card adapter that Diif pointed me to. I believe I have the equipment to remove the NAND as it is, but I want to make sure I can put it back on when I'm done. I don't want to give the phone back and be like sorry, couldn't get it, by the way, I broke the phone!
There's some sort of glue around the NAND though. And I'll have to figure out the best way to remove that. It's shiny glue and it looks really hard. Almost like some sort of epoxy that's designed to make removing the NAND in one piece impossible. I hope it's nothing crazy like that.-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
Re: Dumping flash from HTC Desire 510
I found the code I need to add to the main() function on the Teensy 1.0 clone board (the one with the AT162USB).
Code:/* Prototype declaration. */ void (*start_bootloader)(void)=(void(*)(void))0x1800; /* add after main() and after the for(;;) loop to allow */ /* the device to go into DFU mode. */ if((PIND & (1<<7))==0) { TIMSK1=0;//Disable timer interrupt USB_ShutDown(); //Shutdown USB _delay_ms(100); //Wait (*start_bootloader)(); }
I could test it on the laptop. Have it enter 5 4-digit numbers, pause for 30 seconds, try continue again....-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
Re: Dumping flash from HTC Desire 510
AT90USB162, sorry.-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
Re: Dumping flash from HTC Desire 510
The code to try all the combinations is in the link gootron posted. Although checking it looks the 510 does not support USB HID so the teensy won't work.
I haven't pointed you to a NAND to SD card adapter. I personally don't believe dumping the flash will reveal the PIN. I have an interest in data recovery especially flash. All the videos I've watched of data recovery of any type of flash including eMMC have required dedicated expensive software to make sense of the dump and also hardware to connect to the reader. Micro SD are soldererd by hand but eMMC go in jigs.
If you were to use the top heater on your BGA, every solder joint on that board will be molten.Comment
-
Re: Dumping flash from HTC Desire 510
The code to try all the combinations is in the link gootron posted. Although checking it looks the 510 does not support USB HID so the teensy won't work.
I haven't pointed you to a NAND to SD card adapter. I personally don't believe dumping the flash will reveal the PIN. I have an interest in data recovery especially flash. All the videos I've watched of data recovery of any type of flash including eMMC have required dedicated expensive software to make sense of the dump and also hardware to connect to the reader. Micro SD are soldererd by hand but eMMC go in jigs.
If you were to use the top heater on your BGA, every solder joint on that board will be molten.
So we don't want every solder joint on that board to be molten, just the BGA chip. I can use the hot air with a special nozzle to remove it (the WHA-900), but how would I reattach it successfully? With BGA components, there's profiles that need to be followed.
For the 3DS I did, I just soldered directly to the eMMC flash and read it in the SD card. I can show you the cable I made. The software though, I was thinking something like binwalk. I don't remember what I did with the data, but I know I did this to downgrade the firmware version.
You have a valid point though, I mean, the way flash data is laid out, I don't think I can just carve the data and look for headers / footers or anything like that. Maybe it's just time to call it quits.Last edited by Spork Schivago; 07-03-2017, 06:46 PM.-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
Re: Dumping flash from HTC Desire 510
That specialized software is there because being a Unix/Linux/BSD engineer is hard.
Now: Spork. Are you just trying to unlock the phone for use? If so you can wipe data from fastboot.Last edited by goontron; 07-03-2017, 08:51 PM.Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....
"Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me
Excuse me while i do something dangerous
You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.
Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore
Follow the white rabbit.Comment
-
Re: Dumping flash from HTC Desire 510
Anyway, I actually made some progress. I tried a bunch of stuff and got it so I could go into fastboot. I disabled driver signature in Windows 10 and installed some fastboot drivers or whatever they're called. Fastboot devices showed the phone. Still nothing with ADB. So I start adb with:
adb status-window
and see:
Code:[2J[2HAndroid Debug Bridge State: unknown
I copied everything real quick and then the window disappears.
Guess what I find on it? Child porn. But they're in the thumbnails folder and not real children, they're like CGId or something. Very disgusting though. Not sure what to do now. I made a copy of everything that I could. I highly doubt anything's in there that could help recover the pin.
There's one image of a real girl in her underwear, taking her shirt off. It's in the DCIM\.thumbnails folder. I don't think that's an Android folder though, is it?
There's only a background image in the Pictures folder.
I called the family, even though it's late. I guess they lied a little to me. They said they thought this might be on there. I guess they took the phone to the police to have them search it, but the cops refused, saying too many people had touched the phone and just gave it back, they never said they couldn't get it or anything. They said they just didn't want to say anything to me about it and wanted to wait to see what I found.
Now they said they want me to destroy the phone and everything on it so I don't get in trouble and they want me to delete everything I've recovered now. Even though the pictures are computer generated, I don't see why someone would want these. They're of little kids. It makes me sick to my stomach. I got a little daughter and all I can think was this guy was living in the same town with her. Maybe if she was a bit older, outside playing by herself, he would have kidnaped her? Freaking sickos!-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
Re: Dumping flash from HTC Desire 510
How does that Z3x work? Do you need to hook up to the JTAG TAPs or can you do it all over the USB cable or something? Maybe the 0PCV200 is CDMA and the 0PCV100 is GSM? I also have the JTAG pinouts for the OPCV200, but I think you do as well, if you have the Z3x. They're in the c:\Program Files\Z3X\EasyJTAG\PinoutsJTAG\HTC_Desire_CDMA.jpg file.
I think you might find problems with hooking up to the JTAG interface though. I think the issue is something with the Vcc dropping after so many seconds.
Thanks and please keep me posted on your progress.-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
Re: Dumping flash from HTC Desire 510
Notice most are Windows yeah? A Linux boxen would be able to understand the filesystems that Windows needs special software to read, and can even make sense of the partition table, which again, needs compatibility layers for Windows. On Linux, a partition table image "GPT.bin" would help. Otherwise the data you are looking for is on either a Jffs2, FAT (on real early devices), or EXT filesystem.
That specialized software is there because being a Unix/Linux/BSD engineer is hard.
Now: Spork. Are you just trying to unlock the phone for use? If so you can wipe data from fastboot.
Are all Android flash images mountable on Linux? Because I know not all flash images are. My Rigol DP800 power supply's decrypted firmware is hard to figure out. Granted, that's not a copy of the flash, but the flash is in there. It's weird. Strings like http aren't http. They're stuff like ht~p or something odd. Originally, we thought the decryption algorithm was flawed, but someone else smarter came along and said they believe that's just how it's stored in the flash as raw data.
Essentially, I guess what I'm asking, do all flashes have a popular filesystem, like EXT3 or 4 or FAT, etc, or could it be a proprietary format?-- Law of Expanding Memory: Applications Will Also Expand Until RAM Is FullComment
-
Re: Dumping flash from HTC Desire 510
the DCIM folder is the destination for stuff taken by the camera!
so you may want to check the date on the image and try and find out who she is.
be carefull about your legal situation though - your not supposed to have that personal image, and showing it around could be a problem.Comment
-
Re: Dumping flash from HTC Desire 510
No, they told me he was missing and they thought where he might be could be in a text message, but I guess they wanted me to try and get in and see if there was child porn on there, which there was, well, kinda.
Are all Android flash images mountable on Linux? Because I know not all flash images are. My Rigol DP800 power supply's decrypted firmware is hard to figure out. Granted, that's not a copy of the flash, but the flash is in there. It's weird. Strings like http aren't http. They're stuff like ht~p or something odd. Originally, we thought the decryption algorithm was flawed, but someone else smarter came along and said they believe that's just how it's stored in the flash as raw data.
Essentially, I guess what I'm asking, do all flashes have a popular filesystem, like EXT3 or 4 or FAT, etc, or could it be a proprietary format?Last edited by goontron; 07-03-2017, 10:51 PM.Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....
"Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me
Excuse me while i do something dangerous
You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.
Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore
Follow the white rabbit.Comment
Related Topics
Collapse
-
by SluggerBI have two TCL A30 phones.
Old Phone: This phone worked fine for years, then stopped charging If you plugged a charger into it, the phone would make the charging sound, the phone would tell you it is charging, but the battery icon would not have the charging symbol in it and the battery would not charge.I tried new battery, same behavior.
New Phone: Works fine, bought as a donor board to try and repair Old Phone
My interest here is to repair Old Phone, using components parts off New Phone if needed. I am not interested in replacing Old Phone with New Phone.... -
by ekozeko333Hi all,
I’m trying to recover a Lenovo Yoga Slim 7-14ARE05 with board DA0LS3MBAF0 Rev:F. I’ve run into an unusual issue where USB-C PD is stuck at 4.7–5V and the system won’t boot (keyboard lights flash briefly, then nothing).
🔥 The Problem Started After Suspected ESD/PD Fault
I experienced a power issue or ESD event through a USB-C charger
After that, the NX20P5090 power switch was visibly burned and was replaced
Now the PD controller always negotiates 5V @ 2A, even with known-good chargers
🧠 What I’ve Done So Far
Flashed...-
Channel: BIOS Requests ONLY!
-
-
by corrizeHello, I'm stuck in troubleshooting…
The flash system works like that : when the (mechanic) flash button is pressed, the flash mecanically pop up, and a circuit buck boost elevate 7v (batt) to 200-300v (?) for charging the big capacitor. And when the photo shoot button is pressed, the capacitor is discharged in the xeon light.
In the D800, there is a first « power board » close to the battery. 2 wires (batt 7v) goes to another little « flash board ». I measured 7v, so ok.
When I press the flash button, it's detected by the system, flash icon appear on LDC display.... -
by keeney123To you programmers out there I want to know if it is possible to put a new OS on the Sonim XP5s phone? I only need this phone to make calls, receive calls, have a list of contacts and be able to call voice mail.
I bought this phone new Sep.2021 as an unlock phone from a third-party seller. The phone worked fine until Jan 2022. I then had intermittent problems with the sound setting resetting itself. One of the settings, outdoor, would go to silent all by itself. When in silent mode it does not indicate a call has come in. I missed very important phone calls. All the other setting in sound... -
by abajorHello I've had somebody bring in one of these charming little cameras to attempt retrieving data from the internal 32GB flash.
Something is damaged inside the cameras lens assembly I can hear it clunking around and it has probably dislodged the sensor, powering up the camera gives a blank screen and the focus motor sounds like it's having a fit.
The camera will not connect to a computer via USB in this state, I have no options no navigation, just power up and focus/zoom motor noises.
I think my best shot is to figure out a way to read the internal flash memory outside... - Loading...
- No more items.
Comment