mirror of
https://github.com/ReneLergner/WPinternals.git
synced 2026-06-14 03:16:40 +10:00
Implemented the new flashing hack
This new flashing hack exploits a bug in flash app where it will not properly check the integrity of catalog files used in FFU files
This commit is contained in:
Gustave Monce
+201
@@ -19,6 +19,9 @@
|
||||
// DEALINGS IN THE SOFTWARE.
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Linq;
|
||||
using System.Threading.Tasks;
|
||||
|
||||
namespace WPinternals
|
||||
@@ -36,6 +39,204 @@ namespace WPinternals
|
||||
// MassStorage MassStorage = (MassStorage)Notifier.CurrentModel;
|
||||
}
|
||||
|
||||
internal static async Task RecoverBadGPT(string GPTPath, string LoadersPath)
|
||||
{
|
||||
byte[] GPT = File.ReadAllBytes(GPTPath);
|
||||
|
||||
PhoneNotifierViewModel PhoneNotifier = new PhoneNotifierViewModel();
|
||||
PhoneNotifier.Start();
|
||||
await SwitchModeViewModel.SwitchTo(PhoneNotifier, PhoneInterfaces.Qualcomm_Download);
|
||||
|
||||
byte[] RootKeyHash = null;
|
||||
if (PhoneNotifier.CurrentInterface == PhoneInterfaces.Qualcomm_Download)
|
||||
{
|
||||
QualcommDownload Download2 = new QualcommDownload((QualcommSerial)PhoneNotifier.CurrentModel);
|
||||
RootKeyHash = Download2.GetRKH();
|
||||
}
|
||||
|
||||
List<QualcommPartition> PossibleLoaders = null;
|
||||
if (PhoneNotifier.CurrentInterface == PhoneInterfaces.Qualcomm_Download)
|
||||
{
|
||||
try
|
||||
{
|
||||
PossibleLoaders = QualcommLoaders.GetPossibleLoadersForRootKeyHash(LoadersPath, RootKeyHash);
|
||||
if (PossibleLoaders.Count == 0)
|
||||
{
|
||||
throw new Exception("Error: No matching loaders found for RootKeyHash.");
|
||||
}
|
||||
}
|
||||
catch (Exception Ex)
|
||||
{
|
||||
LogFile.LogException(Ex);
|
||||
throw new Exception("Error: Unexpected error during scanning for loaders.");
|
||||
}
|
||||
}
|
||||
|
||||
QualcommSerial Serial = (QualcommSerial)PhoneNotifier.CurrentModel;
|
||||
QualcommDownload Download = new QualcommDownload(Serial);
|
||||
if (Download.IsAlive())
|
||||
{
|
||||
int Attempt = 1;
|
||||
bool Result = false;
|
||||
foreach (QualcommPartition Loader in PossibleLoaders)
|
||||
{
|
||||
LogFile.Log("Attempt " + Attempt.ToString(), LogType.ConsoleOnly);
|
||||
|
||||
try
|
||||
{
|
||||
Download.SendToPhoneMemory(0x2A000000, Loader.Binary);
|
||||
Download.StartBootloader(0x2A000000);
|
||||
Result = true;
|
||||
LogFile.Log("Loader sent successfully", LogType.ConsoleOnly);
|
||||
}
|
||||
catch { }
|
||||
|
||||
if (Result)
|
||||
break;
|
||||
|
||||
Attempt++;
|
||||
}
|
||||
Serial.Close();
|
||||
|
||||
if (!Result)
|
||||
LogFile.Log("Loader failed", LogType.ConsoleOnly);
|
||||
}
|
||||
else
|
||||
{
|
||||
LogFile.Log("Failed to communicate to Qualcomm Emergency Download mode", LogType.ConsoleOnly);
|
||||
throw new BadConnectionException();
|
||||
}
|
||||
|
||||
if (PhoneNotifier.CurrentInterface != PhoneInterfaces.Qualcomm_Flash)
|
||||
await PhoneNotifier.WaitForArrival();
|
||||
if (PhoneNotifier.CurrentInterface != PhoneInterfaces.Qualcomm_Flash)
|
||||
throw new WPinternalsException("Phone failed to switch to emergency flash mode.");
|
||||
|
||||
// Flash bootloader
|
||||
QualcommSerial Serial2 = (QualcommSerial)PhoneNotifier.CurrentModel;
|
||||
Serial2.EncodeCommands = false;
|
||||
|
||||
QualcommFlasher Flasher = new QualcommFlasher(Serial2);
|
||||
|
||||
Flasher.Hello();
|
||||
Flasher.SetSecurityMode(0);
|
||||
Flasher.OpenPartition(0x21);
|
||||
|
||||
LogFile.Log("Partition opened.", LogType.ConsoleOnly);
|
||||
|
||||
LogFile.Log("Flash GPT at 0x" + ((UInt32)0x200).ToString("X8"), LogType.ConsoleOnly);
|
||||
Flasher.Flash(0x200, GPT, 0, 0x41FF); // Bad bounds-check in the flash-loader prohibits to write the last byte.
|
||||
|
||||
Flasher.ClosePartition();
|
||||
|
||||
LogFile.Log("Partition closed. Flashing ready. Rebooting.");
|
||||
|
||||
Flasher.Reboot();
|
||||
|
||||
Flasher.CloseSerial();
|
||||
}
|
||||
|
||||
internal static async Task RewriteGPT(string GPTPath)
|
||||
{
|
||||
PhoneNotifierViewModel Notifier = new PhoneNotifierViewModel();
|
||||
Notifier.Start();
|
||||
await SwitchModeViewModel.SwitchTo(Notifier, PhoneInterfaces.Lumia_MassStorage);
|
||||
MassStorage MassStorage = (MassStorage)Notifier.CurrentModel;
|
||||
|
||||
LogFile.Log("Writing GPT to the device.", LogType.ConsoleOnly);
|
||||
MassStorage.WriteSectors(1, GPTPath);
|
||||
}
|
||||
|
||||
internal static async Task RewriteMBRGPT()
|
||||
{
|
||||
FFU FFU = new FFU(@"E:\Device Backups\Alpha\9200_1230.0025.9200.9825\RX100_9825.ffu");
|
||||
string GPTPath = @"E:\Device Backups\Alpha\9200_1230.0025.9200.9825\CorrectGPT.bin";
|
||||
|
||||
PhoneNotifierViewModel Notifier = new PhoneNotifierViewModel();
|
||||
Notifier.Start();
|
||||
await SwitchModeViewModel.SwitchTo(Notifier, PhoneInterfaces.Lumia_MassStorage);
|
||||
MassStorage MassStorage = (MassStorage)Notifier.CurrentModel;
|
||||
|
||||
byte[] MBR = FFU.GetSectors(0, 1);
|
||||
LogFile.Log("Writing MBR to the device.", LogType.ConsoleOnly);
|
||||
MassStorage.WriteSectors(0, MBR);
|
||||
|
||||
LogFile.Log("Writing GPT to the device.", LogType.ConsoleOnly);
|
||||
MassStorage.WriteSectors(1, GPTPath);
|
||||
}
|
||||
|
||||
internal static async Task RewriteParts(string PartPath)
|
||||
{
|
||||
PhoneNotifierViewModel Notifier = new PhoneNotifierViewModel();
|
||||
Notifier.Start();
|
||||
await SwitchModeViewModel.SwitchTo(Notifier, PhoneInterfaces.Lumia_MassStorage);
|
||||
MassStorage MassStorage = (MassStorage)Notifier.CurrentModel;
|
||||
|
||||
foreach (var part in Directory.EnumerateFiles(PartPath))
|
||||
{
|
||||
var partname = part.Split('\\').Last().Replace(".img", "");
|
||||
try
|
||||
{
|
||||
LogFile.Log($"Writing {partname} to the device.", LogType.ConsoleOnly);
|
||||
|
||||
LogFile.Log("", LogType.ConsoleOnly);
|
||||
|
||||
MassStorage.RestorePartition(part, partname, (v, t) =>
|
||||
{
|
||||
LogFile.Log("Progress: " + v + "%", LogType.ConsoleOnly);
|
||||
});
|
||||
LogFile.Log("", LogType.ConsoleOnly);
|
||||
}
|
||||
catch
|
||||
{
|
||||
LogFile.Log("", LogType.ConsoleOnly);
|
||||
LogFile.Log($"Failed writing {partname} to the device.", LogType.ConsoleOnly);
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
internal static void PatchImg(string dump)
|
||||
{
|
||||
using (var fil = File.Open(dump, FileMode.Open))
|
||||
{
|
||||
byte[] gptbuffer = new byte[0x4200];
|
||||
|
||||
fil.Seek(0x200, SeekOrigin.Begin);
|
||||
fil.Read(gptbuffer, 0, 0x4200);
|
||||
|
||||
uint BackupLBA = ByteOperations.ReadUInt32(gptbuffer, 0x20);
|
||||
uint LastUsableLBA = ByteOperations.ReadUInt32(gptbuffer, 0x30);
|
||||
|
||||
LogFile.Log("Previous BackupLBA: " + BackupLBA, LogType.ConsoleOnly);
|
||||
LogFile.Log("Previous LastUsableLBA: " + LastUsableLBA, LogType.ConsoleOnly);
|
||||
|
||||
uint NewBackupLBA = 62078975u;
|
||||
uint NewLastUsableLBA = 62078942u;
|
||||
|
||||
ByteOperations.WriteUInt32(gptbuffer, 0x20, NewBackupLBA);
|
||||
ByteOperations.WriteUInt32(gptbuffer, 0x30, NewLastUsableLBA);
|
||||
|
||||
uint HeaderSize = ByteOperations.ReadUInt32(gptbuffer, 0x0C);
|
||||
uint PrevCRC = ByteOperations.ReadUInt32(gptbuffer, 0x10);
|
||||
|
||||
LogFile.Log("Previous CRC: " + PrevCRC, LogType.ConsoleOnly);
|
||||
|
||||
ByteOperations.WriteUInt32(gptbuffer, 0x10, 0);
|
||||
uint NewCRC = ByteOperations.CRC32(gptbuffer, 0, HeaderSize);
|
||||
|
||||
LogFile.Log("New CRC: " + NewCRC, LogType.ConsoleOnly);
|
||||
|
||||
ByteOperations.WriteUInt32(gptbuffer, 0x10, NewCRC);
|
||||
|
||||
LogFile.Log("Writing", LogType.ConsoleOnly);
|
||||
|
||||
fil.Seek(0x200, SeekOrigin.Begin);
|
||||
fil.Write(gptbuffer, 0, 0x4200);
|
||||
|
||||
LogFile.Log("Done!", LogType.ConsoleOnly);
|
||||
}
|
||||
}
|
||||
|
||||
internal static async Task TestProgrammer(System.Threading.SynchronizationContext UIContext, string ProgrammerPath)
|
||||
{
|
||||
LogFile.BeginAction("TestProgrammer");
|
||||
|
||||
Reference in New Issue
Block a user