Maciej Grela писал 02.10.2012 02:00:

...

My colleague/friend Sergey Gridassov[1] has been developing a replacement RIL[2] for SGS2 and found everything of the above. He probably won't be posting to this list because he's not a native English speaker, but if there is enough interest (and it seems that there is), I could prepare and post the relevant instructions. It's pretty trivial actually.

Please do publish them. This is pretty cool.

Regards, Maciej Grela

Assuming you know C, consider this code: https://github.com/grindars/android_hardware_samsung_freeril/blob/jellybean/...

The boot process is IROM->PSI->EBL->SecureImage. Authenticity of PSI is not checked. He has verified this by changing the magic constant 0xDEADDEAD and booting PSI. Speaking about 0xDEADDEAD, it's a command ID which makes the PSI make a complete RAM dump. So, then he has sent the modified command and successfully obtained a dump.

The rest should be obvious from the source.