Wednesday, 2013-04-10

--- Day changed Wed Apr 10 2013
@juicemeHow I'd do it, I would ditch using CAL alltogether. The way I see it it's not necessary to store the lock code in CAL anyway. I'd encrypt the whole /home partition and use the lock key to recover the passcode for encfs...00:00
@juicemeThat way it would be fairly secure to off-line attacks, and the lockscreen would protect from on-line attacs.00:01
coderusJonni: next try. /dev/crypto /dev/omap_sec ?00:02
coderusJonni: i'm stuck at libbb5. I see devicelockd using it for ann CAL operations. Are you really changed only devicelockd, not libbb5?00:05
-!- peterleinchen [~user@dsbg-4db59f3b.pool.mediaWays.net] has quit [Quit: [BX] Reserve your copy of BitchX-1.2c01-svn for the Nintendo Gameboy today!]00:27
rikaneejuiceme: you're forgetting the part where the NAND isn't actually locked in Open Mode01:24
rikaneethe tools are just refusing to write ;)01:24
-!- rikanee [~rika@unaffiliated/rikanee] has quit [Ping timeout: 245 seconds]01:43
-!- rikanee [~rika@unaffiliated/rikanee] has joined #ubiboot01:51
-!- rikanee [~rika@unaffiliated/rikanee] has quit [Ping timeout: 252 seconds]02:32
-!- rikanee [~rika@unaffiliated/rikanee] has joined #ubiboot02:33
-!- rikanee [~rika@unaffiliated/rikanee] has quit [Client Quit]02:34
-!- rikanee [~rika@unaffiliated/rikanee] has joined #ubiboot02:34
-!- TMavica [TMavica@1-36-77-246.static.netvigator.com] has joined #ubiboot04:42
TMavicahi04:44
TMavicaafter 3 times loading harmattan, now can go in..04:51
TMavicausing 09041304:52
TMavicahttps://dl.dropbox.com/u/37229054/output.txt04:55
TMavicahttps://dl.dropbox.com/u/37229054/ubiboot.log05:18
TMavicahttps://dl.dropbox.com/u/37229054/ubiboot.dmesg05:18
@juicememorning07:28
@juicemeTMavica, thanks for the logs, I'll check them.07:30
-!- rikanee [~rika@unaffiliated/rikanee] has quit [Quit: kthxbye]09:52
-!- rikanee [~rika@unaffiliated/rikanee] has joined #ubiboot10:43
@juicemerikanee, hi11:35
rikaneeohai, juiceme.11:36
@juicemeI was thinking about this "the tools are just refusing to write"11:36
rikaneejuiceme: yeah, notice how usually a lock on the NAND would lock the entire NAND.11:36
@juicemeI think it's partly this but doesn't it require some magic to access the protected areas?11:36
rikaneejuiceme: if you try to dd to and from CAL area, it doesn't stop you.11:37
@juicemeby magic I mean some write cycle using specific bytes11:37
@juicemeoh that really so?11:37
rikaneewell, fwiw, there are lock bytes set on the region.11:37
@juicemeI was aware I can read everything but I did not now write is possible too...11:38
rikaneenot really lock bytes, lock flags.11:38
rikaneeonce you start writing with the CAL library, it sees the flags and refuses write.11:38
rikaneeI would definitely not advise manually writing ConF entries though.11:38
@juicemethat makes sense, because I wondered how would HW protection _really_ be arranged, since the mtd partition's boundaries are arbitrary anyway :)11:39
@juicemebut if that is the case, what would prevent creating tools that could access the needed locations directly?11:40
rikaneejuiceme: the only problem is, CAL structure is unknown, and the middleware to screw with it isn't quite open.11:40
@juicemeas replacement for the Harmattan tools...11:40
rikanee(note: there's a flag in flash_erase to clear the LOCK flags, but that entails erasing the partition. Notice how when you reflash, the View-openmode image is rewritten into CAL, which is now "unlocked", without wiping it)11:41
@juicemebut it's well known fact that obfuscation is no replacement for encryptin, ever...11:41
@juicemes/encryptin/encryption/11:41
@juicemefrom Jonni's openmode flashing method yesterday I kind of gathered that once the View-openmode image image is removed, subsequent flashing does not recreate it any more?11:43
@juicemeThat the image is actually written to CAL only when the device boots the first time to Harmattan11:44
Jonnijuiceme: flashing never creates it, it is always created only on 1st boot on secure mode11:44
@juicemeyes, that's how I understood it.11:44
rikaneestill, that means that the area can be unlocked without totally wiping it.11:44
Jonnijust pointing out that "recreate" word is wrong since flashing has never created it in the 1st place11:45
@juicemeso when flashing to closedmode and immediately flashing to openmode the filesystem preparation routines cannot any longer access CAL in write mode.11:45
Jonniand tools have no checking, there is no such thing as refusing to write11:46
Jonniif tools refuse to write, its because its locked11:46
@juicemeok, how is the locking done, then, on HW level?11:46
Jonnijuiceme: exactly11:46
Jonnibootloader locks the hw before xloader loads the kernel.11:47
@juicemeBecause as I understand, the mtd partition's boundaries are defined by the string NOLO gives by kernel, I mean I could propably pass something totally different there as the partition table and that would be recognized as the layout?11:47
rikaneejuiceme: that's not exactly… safe.11:48
rikaneealthough it is worth a try, if you relocate CAL to mtd4 area.11:48
@juicemewell, not safe but what I am after here, is the implementation details11:48
Jonnijuiceme: its locked before kernel even loads, so even if you define custom boundaries, the hw is still locked11:48
rikaneeJonni: I think what he meant was that those blocks on the MTD aren't flagged as locked11:48
Jonnibut yes, you could do trickery that cal is in mtd4 area, which is still unlocked.11:49
@juicemeso what is the granularity of locking, is it done in 4k blocks or something?11:49
rikaneewell, assuming Harmattan respects those new boundaries, there's just one flaw - device isn't protected from flasher attacks.11:50
@juicemeah, so it could me circumvented taht way? Then it's not HW property?11:50
rikaneejuiceme: Harmattan and NOLO would be reading two different CAL areas11:50
@juicemes/me/be/ s/taht/that/11:50
rikaneeHarmattan sees an unlocked CAL area, while NOLO sees its locked CAL area with no PIN required to flash.11:51
@juicemeyes, but if that works then it's not HW protected.11:51
@juicemebecause I am after something like "if there is a mapping table in MMU or CPU logic that prevents CS signal to WR pin when accessing area XXX"11:52
rikaneealso, since you're moving the boundaries between flash partitions, make sure you make a "hole" in the parameters you're passing to Harmattan, or else you risk people being able to flash kernels ACROSS the real MTD1 boundary11:52
rikaneewhich is Very Very Very Bad11:52
@juicemeif that ^^^ is true then it's protected :)11:52
rikaneejuiceme: well, we really don't want to be the ones to find that out ;)11:53
@juicemeIf I had devices to burn then it would be easy to find out :P11:53
Jonniits safest not to mess up with CAL11:53
Jonniits just invitation to bricks11:54
Jonnithats why I didnt want to use mtd4&5 in my env, much nicer just to use 0p1 partition11:54
@juicemewell it's safest not to do parachuting/diving/motorcycling/... still people do it :)11:54
@juicemeAnd that's all well and good, and why ubiboot-02 is lot safer than -0111:55
rikaneejuiceme: speaking of which, I still haven't switched my config over from 01 to 02, I'll probably do it tomorrow.11:56
Jonnibut yes, if you manage to get for example mtd5 to be cal, then you have fully working openmode device without need to patch the packages.11:56
@juicemebut as happened with the one device you bricked with flash-erase, devices like that might be rescued if it would be possible to recreate CAL entries on open mode...11:57
rikaneejuiceme: I think that's more of a "NOLO freaking out" though11:57
Jonnithat requires that you have backed up the CAL in the 1st place, ie its too late if you have managed to erase it without backup11:57
@juicemewell yes, in that case it would be quite difficult to get anything running there11:57
rikaneejuiceme: it'd all be so much easier if CAL structure was understood.11:58
rikaneethat way, it could probably be recreated, or copied from another device.11:58
Jonnical structure is easy, you can copy and create the blocks quite easily with libcal.11:59
@juicemehow individual are the CAL entries between devices, would it be possible to copy a working configuration from one to another, and then only change the bits that identify the device like IMSI's etc..?11:59
Jonnibut it cannot be copied from another device, as imei etc blocks are device specific and they must match the modem, otherwise it wont work11:59
Jonnias modem will refuse to work if cal has missmatch12:00
rikaneejuiceme: the MAC address and IMEI would have to be blanked out, but that's the only major roadblock I'm aware of12:00
@juicemebut you propably could change that back, the IMEI's written on the device box12:00
rikaneeJonni: that sucks if it's true on Harmattan devices, as IIRC on the N900, WiFi and BT addresses were missing, while IMEI was simply copied back from BB512:00
rikanee*once CAL was wiped, on the N90012:01
@juicemeIf you have any kernel logs saved anywhere, you can look up those fromn there in case you don't have the original box any more :)12:01
rikaneeactually, one has to wonder about the actual relevance of the CAL partition, when NOLO could simply extract burned-in addresses from hardware devices and pass them to the kernel.12:03
@juicemeBut I am wondering if there's any post-production data that's saved there that would need to be correct, like on BTS'es the power level calibration, RX sensitivity tables and FHS pahse calibration data is measured on the final acceptance test and written to compensation tables in device memory.12:03
rikaneeon, crap, yeah, right.12:04
@juicemeSo how is it with phones these days?12:04
rikanees/on/oh/12:04
rikaneejuiceme: I totally forgot that after messing with/replacing antennas, you must calibrate the device in the Nokia RF testbench.12:04
@juicemeOf course that is data which might be saved on the baseband chip itself...12:05
rikaneewell, that we don't know.12:05
@juicemeon another note alltogether...12:12
@juicemeI just did something quite funny actually :) :)12:12
@juicemeI booted ubiboot from ubiboot :)12:13
TMavicajuiceme have you chk the log?12:13
rikaneejuiceme: kexec party?12:13
@juicemeas I just made another 02 kernel, and just thought, why should I _flash_it to test it when I have uboboot :)12:13
@juicemeTMavica, looks quite ordinary to me.12:14
@juicemehow is your booting to Harmattan now, it does not work every time, but sometimes OK?12:14
TMavicadoes not work everytime12:16
TMavicai now in harmattan, now try reboot and enter again12:16
@juicemerikanee, I just wasnted to see if adding "dsme -d -p /lib/dsme/libstartup.so -l syslog -v 7" before "bme_RX-71 -l syslog -v 7 -c /usr/lib/hwi/hw/rx71.so -d" would enable me to run bmestat, but it still does not work, the socket "/tmp/.bmesrv" is still missing :(12:18
@juicemeTMavica, fromthe logs I see the boot is interrupted by WD_3212:18
@juicemeso there is still some watchdog related problems.12:19
TMavicai reboot in harmattan and enter harmattan is ok this time, i try boot again12:22
TMavicanot everytimes success12:24
@juicemeTMavica, I see you have the latest watchdog corrections, you are using the image zImage_2.6.32.54-ubiboot-02_09041312:24
@juicemebut it's good to know that you CAN boot to Harmattan at all. Now we only need to find out why it cannot be done every time.12:25
TMavicayes12:26
@juicemeWhen the boot fails, you eventually come back to the menu, right? 12:26
@juicemeso it never any longer complains about the charger problems?12:26
TMavicayes, reboot self and go menu again12:26
TMavicayes, charger problem no more12:27
@juicemethat's good to know :)12:27
TMavicai dont know it is related to fastern9 or not, i uninstalled it.12:27
@juicemewell, the original proble at least was not related to fastern9. I know this because it was tried on freshly flashed device, with nothing yet installed.12:28
TMavicawhats autoboot means in ubiboot.conf?12:29
@juicemeTMavica, sorry, was in a quick meeting12:57
@juicemeautoboot setting means, if you want to boot directly to some kernel on the list, without selecting. Useful if you have just one kernel you use with Nitdroid for example.12:58
@juicemethen just set autoboot to the number of the kernel you want to boot, and when you touch the icon, it will boot straight to that without requiring another touch to a kernel.12:59
TMavicaok12:59
TMavicai found there is new zimage for android13:00
-!- TMavica [TMavica@1-36-77-246.static.netvigator.com] has quit [Read error: Connection reset by peer]13:47
-!- TMavica [~TMavica@1-36-77-246.static.netvigator.com] has joined #ubiboot13:49
@juicemeJonni, it wouldn'd matter what is the PR level of the device when flashing ubiboot kernel on it, right?14:13
@juicemebasically what I am after, is that if I have a PR1.1 device, forexample then I could clean-flash it, immediately flash ubiboot and "tar -cvf" the partitions.14:15
@juicemethen, cleanflash with PR1.2 and repeat process.14:16
@juicemethdn, same with PR1.3 package...14:16
@juicemelater on, at any given?moment I can then restore the tarfiles, and have a device that boots up fresh at any PR levdl I wish to have.14:18
@juiceme... hmm lotsa typos using n9 console...14:19
rikaneejuiceme, yup, you could in deed do that, the firmware version check's only with Flasher ;)15:06
Jonnior if you have 8 mmcblk partitions you can even make menues to boot between different pr images :)15:11
rikaneeJonni: and presumably, 64GB of eMMC ;)15:13
TMavica@juiceme why need long time to load android logo15:22
@juicemeTMavica, hi, the reason it takes so _long_ time to boot android is because the zimage.pr13 does not have the l2fix :)17:22
@juicemewhat the "l2fix" does, it is a kernel patch that causes L2 cache to be switchd on early in the kexec process. Without that patch the device will spend quite some time before eventually it will after some time execute such a code that causes a context switch that activates the cache.17:24
@juicemefor same reason, when bootin Harmattan the original open mode kernel takes a long time to load when compared to the l2-fixed kernel.17:25
@juicemeJonni, having all 3 PR level Harmattan OS'es (or even more, if you want to install old r&d images...) would be quite a collection :)17:26
@juicemeJonni, one other thing came to my mind... If I would leave the NOLO to an older version and load a freshly saved PR1.3 image baked on another device, I could use devicelock on an open mode kernel, right? Since if I remember correctly the CAL-wrlock was not implemented in PR1.1 release..?17:29
TMavicaic17:33
@juicemeoc17:33
@juicemeTMavica, sure it would be possible to compile nitdroid kernel with l2fix.17:34
@juicemeI maybe should look into it soma day, but las time I wanted to try that, I could not find the latest sources...17:35
@juicemes/soma/some/17:35
TMavicait is not big deal, LOL. at least I wish to can success boot to harmattan, no need boot serveral times17:44
Jonnijuiceme: cal rwlock was implemented PR1.0 onwards, only thing that was changed in PR1.1 that flasher triggered open mode even on ram loading of kernel.17:47
@juicemeah, okay.17:47
@juicemeI guess no devices were ever shipped with PR1.0, at least all I have seen are PR1.1 and newer.17:48
Jonnidevices were shipped with PR1.0, I still have atleast one N9 with PR1.017:48
@juicemethat's the early ones then.17:49
coderusjuiceme: afaik drunkdebugger already reused your l2fix to new nitdroid kernel with ubiboot ;)17:52
@juicemecoderus, excellent :)17:53
@juicemewhere can I get it from?17:53
JonniI'm just thinking could there even be any benefits for having pr1.0 nolo and having possibility to ram boot custom kernels in secure mode... ohwell I cant really think of a use case.17:54
TMavicajuiceme, i using this: http://downloads.nitdroid.com/e-yes/n9/ubiboot/zImage17:55
coderusjuiceme: it's not released. you can ask him privately, i think.17:55
@juicemeI might do so. Or better, if I got the official latest sources I could do it myself and upload to ubiboot page...17:57
coderusjuiceme: well, i know l2fix not the only change he did ;)18:14
-!- TMavica [~TMavica@1-36-77-246.static.netvigator.com] has quit []18:15
-!- TMavica [~TMavica@1-36-77-246.static.netvigator.com] has joined #ubiboot18:17
-!- TMavica [~TMavica@1-36-77-246.static.netvigator.com] has quit []23:44

Generated by irclog2html.py 2.12.1 by Marius Gedminas - find it at mg.pov.lt!