Martin's DokuWiki

User Tools

Site Tools

You are here: start » sony_ericsson » basics
Trace: compiled_elfs sony_ericsson basics
sony_ericsson:basics

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
sony_ericsson:basics [2025/09/07 22:05] – [Glossary] adminsony_ericsson:basics [2026/01/24 22:47] (current) admin
Line 8: Line 8:
 Feel free to try giving a shot at tracking down mizar (and his set up shell company). \\ Feel free to try giving a shot at tracking down mizar (and his set up shell company). \\
 </hidden> </hidden>
-The community is in search for former Omnius owners/maintainers to retrieve the source code or SEUS signing process. \\ +@vi0let/lucy: Please release non-functional Omnius server side program w/o database for reverse engineering, to retrieve signed se loaders.. should have bought it in 2018... \\
-@vi0let/lucy: Please release non-functional Omnius server side program w/o database for reverse engineering. should have bought it in 2018... \\+
  
  
Line 18: Line 17:
  
 There is a collection of tutorials here: [[https://www.akshayy.com/sonyericsson/index/]] \\ There is a collection of tutorials here: [[https://www.akshayy.com/sonyericsson/index/]] \\
 +
 +<hidden Have Gordon's Gate Flash Driver installed.>
 +You might need to turn off driver signature enforcement for Windows. \\
 +There are three common ways: \\
 +   * [[https://www.terasic.com.tw/wiki/Disable_Driver_Signature_Enforcement_in_Windows10_x64|Use Advanced Boot Menu]] → Disable Driver Signature Enforcement (temporary)
 +   * Enable Test Signing Mode (Requires Secure Boot OFF)
 +   * or better [[https://woshub.com/how-to-sign-an-unsigned-driver-for-windows-7-x64/|self-sign the drivers]]
 +
 +To use cmd command line (as admin): 
 +<code>
 +bcdedit.exe /set testsigning on     ← works with Win10/11 (needs Secure Boot OFF)
 +
 +#only for Win7/8:
 +bcdedit.exe /set nointegritychecks on
 +  or
 +bcdedit.exe /set loadoptions DISABLE_INTEGRITY_CHECKS
 +</code>
 +</hidden> \\
  
 How to use Setool2-lite for A1 phones: [[https://sony.yt/topic/3199-setool2-lite-v111-user-guide-identify-gdfs-backup-flashing-patching-unlocking/]] \\ How to use Setool2-lite for A1 phones: [[https://sony.yt/topic/3199-setool2-lite-v111-user-guide-identify-gdfs-backup-flashing-patching-unlocking/]] \\
 +Latest Setool (not lite) is broken for PDA and does not work with WinXP (works with Win7 and newer, even Win11). \\
  
 How to use A2 Uploader: [[https://sony.yt/topic/942-a2-uploader-a2-tool-tutorial/]] \\ How to use A2 Uploader: [[https://sony.yt/topic/942-a2-uploader-a2-tool-tutorial/]] \\
Line 32: Line 50:
  
 DCU-60 USB cable is used for fastport phones. \\  DCU-60 USB cable is used for fastport phones. \\ 
-[[sony_ericsson:links#modifications|Modified DSS-20]]/25 can be used for phones with T28 Connector as serial adapter. \\+[[sony_ericsson:links#hardware_modification|Modified DSS-20]]/25 can be used for phones with T28 Connector as serial adapter. \\
  
 > Use the service cable to read (boot) logs from the phone! \\ > Use the service cable to read (boot) logs from the phone! \\
Line 47: Line 65:
 ====== Glossary ====== ====== Glossary ======
  
-backup - if you ask yourself what it is, learn how to backup GDFS NOW! \\+backup - if you ask yourself what it is, learn how to backup GDFS / REST file NOW! \\
  
 📘 Glossary 📘 Glossary
Line 62: Line 80:
 >    Internal hardware code name for SE baseband platforms (e.g., DB2010, DB2020, DB3150), tied to CPU, RAM, and bootloader layout. It was //Locosto// before DB-plattform. >    Internal hardware code name for SE baseband platforms (e.g., DB2010, DB2020, DB3150), tied to CPU, RAM, and bootloader layout. It was //Locosto// before DB-plattform.
  
-Certificate Colour +CDA = Customer Delivery Assembly 
->    Phones have certificate "colors": Red (retail)Brown (developer)Blue (factory)test. Brown allows to run unsigned code. CID53+ restricts patching and unsigned loader access without signed tools.  +>    The customization package that defines brandinglanguage, and region
->    "Browning": refers to changing certificate colour to "brown".  +
->    SCRC (Security Certificate) is in OTP and therefore cannot be changed (hence called OTP Cert colour). Instead the cert colour used for patching is faked: It is emulated in Loader (to skip certificate enforcement) or it is a patch-based certificate conversion, like QA-patch with DB2020.+
  
-GDFS (Global Data File System)+Certificate Colour / Domain 
 +>    Phones have a certificate "color" (also called domain): Red (retail), Brown (developer), Blue (factory)test. Brown allows reading file contents and write access to FS.  
 +>    "Browning": refers to changing certificate colour to "brown". It is currently not possible for CID80+ 
 +>    SCRC (Security Certificate) is in OTP and therefore cannot be changed (hence called OTP Cert colour). Instead the cert colour used for patching is emulated in Loader (to skip certificate enforcement) or it is a patch-based certificate conversion, like QA-patch with DB2020. 
 + 
 + 
 +GDFS (Global Data File System) / TA (Trim Area)
 >    A region of phone memory storing unique configuration. It contains IMEI, SIM/network lock info, RF calibration data, Bluetooth/WiFi addresses, call timers and also used to store flags enabling patch access.  >    A region of phone memory storing unique configuration. It contains IMEI, SIM/network lock info, RF calibration data, Bluetooth/WiFi addresses, call timers and also used to store flags enabling patch access. 
 >    BACKUP GDFS! This is unique device specific! If lost/damaged, the phone is screwed.  >    BACKUP GDFS! This is unique device specific! If lost/damaged, the phone is screwed. 
 >    Note: If you repair GDFS the 'total call timer' is reset.  >    Note: If you repair GDFS the 'total call timer' is reset. 
 +
 +REST file
 +>    'restore file' preserves FS-based customization on A1 phones and is required on flashing. A2 phones have critical data in TA. \\
 +
  
 VKP Patch VKP Patch
Line 84: Line 110:
  
 QA (QuickAccess) Patch (DB2020) QA (QuickAccess) Patch (DB2020)
->    Firmware patch to disable signature checks on DB2020 phones, allowing FS/GDFS access and .vkp patching without a service box.+>    Firmware patch to disable signature checks on DB2020 phones, allowing FS/GDFS access and .vkp patching without a service box. No QA needed if you swap cert to BROWN49.  
  
 Heap Shift Heap Shift
Line 101: Line 127:
 > /ifs/ – stands for "Internal File System" > /ifs/ – stands for "Internal File System"
 > /system/ – Core Operating System Files (A2 only) > /system/ – Core Operating System Files (A2 only)
 +
 +
 +====== Basis ======
 +
 +Following is some crap that reminds me to rewrite this section. It may be untrue too. \\
 +
 +#########################\\
 +#TODO\\
 +
 +> SEMCBOOT is the bootloader in OTP. It waits for either a normal boot from flash or a service connection via USB. SEMCBOOT enforces CID/SCRC checks. 
 +
 +Methods to make SEMCBOOT see different cert colour: 
 +     * CSCA Method (obsolete)
 +     * Patch-Based Unlock (Quick Access Patch)
 +     * Bypass loaders
 +
 +> CSCA = Certificate Signed Certificate Authority (formerly sometimes just called “Central Sony Certificate Authority”) = Sony Ericsson's official signing server used to validate and authorize service operations, the phone's SEMCBOOT verified this signature
 +
 +> How does Loader bypass work?
 +<code>
 +[Phone powered on]
 +      ↓
 +[SEMCBOOT in OTP]
 +      ↓  (USB)
 +[Tool uploads signed SE loader into RAM]
 +      ↓
 +[Loader runs in RAM → certificate checks bypassed]
 +      ↓
 +[Tool can patch FS / MAIN / GDFS]
 +      ↓  (reboot)
 +[Phone back to RED, RAM cleared]
 +</code>
 +>  SEMCBOOT sees RED in OTP, but a signed SE loader loaded in service mode. The loader hooks its certificate-check routines in RAM. While the loader is active, you can patch FS, MAIN (CXC), GDFS, etc. After reboot, the loader disappears, and the phone reports RED again. A patched phone 
 +
 +################################ \\
 +
 +
sony_ericsson/basics.1757275524.txt.gz · Last modified: by admin
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki