Post-2017 support #2
Comments
|
I'm happy to donate microSDHC cards if you'd like to follow up, @beaups :) |
|
Screenshots of IDA?
|
|
Cheers, haven't touched assembly in more than a decade! |
|
neftaly - no idea if they've patched this or not, i haven't done any research on this since I wrote this article and code. It would not surprise me if they removed the functionality or changed the backdoor process or code. |
|
@beaups do you still have the code to read out the firmware somewhere? ;) |
|
Hi all, Would be nice if you could reverse engineer further as those old evo plus cards are hard to find and changing CID is handy to have. Thank you, |
|
@nkichukov @neftaly what is the point of changing CID on these EVO cards? It's likely they've changed or removed the backdoor due to making this issue public. |
|
Car and marine GPS units are locked to a CID for upgrades and maps.
On 2 Feb 2018 7:30 am, "beaups" <[email protected]> wrote:
@nkichukov <https://github.com/nkichukov> @neftaly
<https://github.com/neftaly> what is the point of changing CID on these EVO
cards? It's likely they've changed or removed the backdoor due to making
this issue public.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABGDnp-9VUYe58o9SoHZeVZaC8aaPq-oks5tQgLGgaJpZM4PW41O>
.
|
|
Ah. I'm not interested in piracy, didn't anticipate this work being used for that. |
|
If the card supports it, I see no reason why not maintaining the code that can actually do it. If that is no longer the case, I guess we are out of luck. Piracy is not the right term as there might be various use cases to that. |
|
Fair enough. But the research here was done with the ultimate goal of
unlocking these Samsung phones - mission accomplished. I know Samsung
disabled or hid some of the memory write and code exec functions after some
public speculation was raised a few years ago. It seems likely they would
disable or hide this backdoor as well. The memread functions are publicly
available in kernel source code, not to mention there are also firmwares in
kernel source code/ffu binaries. You could always just reverse the newer
firmware to see if there is still a way to accomplish this.
…--beaups
On Fri, Feb 2, 2018 at 2:30 AM, nkichukov ***@***.***> wrote:
If the card supports it, I see no reason why not maintaining the code that
can actually do it. If that is no longer the case, I guess we are out of
luck.
Piracy is not the right term as there might be various use cases to that.
Thanks!
-N
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADA2nuGLcXWLcqXNgfUH6SLQMzqLKrqHks5tQrmDgaJpZM4PW41O>
.
|
|
I noticed that this patent also uses 0xEFAC62EC to enter factory mode, but mentions using 0x00cced82 to enable CID write. Is this related to Samsung cards? |
|
That's an interesting find zhuowei. Looks to be a different way to do it, and considering the factory mode command is the same, probably safe to assume its Samsung related. |
As of early 2017, Samsung seems to have patched the Samdunk backdoor, at least in eMMC-derived microSDHC cards (Evo+).
SAMSUNG_VENDOR_OPCODE 0xEFAC62ECseems to work, butPROGRAM_CID_OPCODEdoes not appear to stick.Does vendor mode still work expected? Is it possible to flash an old firmware dump?
The text was updated successfully, but these errors were encountered: