19 października 2011
Sansa Connect hacking cz.5 - Flashing bootloader
This method has been authored by Tomasz Moń. Reprint of this text is permitted as long as proper attribution is provided.
Preparation
Bootloader code
At first, dump the original bootloader, I used the OF (Original Firmware) command line.
dd if=/dev/mtd0 of=/mnt/mmc/boot.bin
Then we need to apply patches over the binary file, as described in my previous entry there are three 32-bit values to change. During bootstrap, bootloader is copying itself from 0x100000 (which maps directly to NOR flash) to 0x1300180 (which is in SDRAM) - hence we need to subtract 0x1300180 from the addresses used in memory patch. Also take note the ARM core is running in LE mode.
Changes to bootloader code
| Offset | Original bytes | Patched bytes | Original instruction | Patched instruction |
|---|---|---|---|---|
| 0x178C | 3C 17 00 EB | 00 00 A0 E3 | BL 0x1307604 | MOV R0, #0 |
| 0x179C | 0C C0 9D E5 | 02 C0 A0 E3 | LDR R12, [SP,#0x568+var55C] | MOV R12, #2 |
| 0x1938 | 36 17 00 EB | 00 00 A0 E3 | BL 0x1307798 | MOV R0, #0 |
After patching using hex editor, I saved the patched file under name boot.patched.
Soldering
Due to hardware block protection applied to the NOR flash chip, it's required to use one of the high voltage methods to be able to flash protected sectors.
Use sharp yet thin tool to break the connection between Vcc and WP/ACC (marked with blue line on the image above) - I used small flat screwdriver. Solder the wire to WP/ACC pad, and solder another one to GND (the latter is far easier than the former).
I used the tape to fix the cable to the PCB to relieve the solder joint from any stresses that could occur whilst moving the cable.
Flashing
Connect power supply
Connect the previously soldered wires to bench power supply.
During startup (of the player), set the power supply to 0V or 3V (doesn't really matter which one of these two you use). Once logging into shell, put high voltage (any value from 8.5V to 12.5V) on the WP/ACC pin. As you can see on the following photo, I used 9V.
Flash modified bootloader
Actual flashing procedure is easy, just execute following commands:
flash_eraseall /dev/mtd0 cat /mnt/mmc/boot.patched > /dev/mtd0
When it finishes, set the power supply to 0V, check if the bootloader is flashed properly (I dumped it again and checked the md5sum of resulting file) - if everything is fine, reboot the player and enjoy the ability to boot unsigned code on it.
Remove wires
Last step is desoldering the wires. Don't forget to short back the WP/ACC with Vcc - the device may malfuction if you forget to do so!
Dodaj komentarz