I'm new to the community. I've spent countless hours reverse engineering assembly and tinkering with hardware on past smart devices (game consoles as well) and most times there were more paths to exploits through software alone. Sometimes exploits were found in the hardware. Sometimes directly interfacing with hardware (jumping connections to cause a short, putting the device in a recovery mode), even replacing EEPROM chips in some cases to gain kernel/firmware write access.
Has anyone explored hardware exploits?
Interesting question. I remember on one of my HTC devices (Rezound I think) the root method was to short two of the connectors under the back cover using a specific timing.
To my knowledge of browsing these forums, I have not seen anyone mention anything about this type of approach.
ssb13 said:
Interesting question. I remember on one of my HTC devices (Rezound I think) the root method was to short two of the connectors under the back cover using a specific timing.
To my knowledge of browsing these forums, I have not seen anyone mention anything about this type of approach.
Click to expand...
Click to collapse
You are right on the Rezound. I had one and it was a very nerve racking experience to short 2 pins, timed, to get s-off.
mefloump said:
You are right on the Rezound. I had one and it was a very nerve racking experience to short 2 pins, timed, to get s-off.
Click to expand...
Click to collapse
I think it took me a few tries, at least. But worth it!
If I recall correctly, the VZW Note 2 was unlocked through the UART "port" by Adam Outler.
I don't know if this area has been completely explored, but I can't imagine anyone is actively working on it.
Related
The devices are similar enough, maybe a Desire/Eris dev can take a look to find a root.
developer.htc.com
CDMA Hero users are getting ready to see our world turned upside down. Soo much is getting ready to happen, hope to see you get root soon!
Will the Sprint Hero kernel be the same as the one for our phone?
I can confirm that the CDMA Hero source makes reference to our device specific flag (CONFIG_MACH_DESIREC) in a couple different places (all in arch/arm/mach-msm/). It is worth noting that almost all the same references were found in the original Hero source. The only thing that has been added for our architecture alone was an isCDMA flag in what appears to be USB descriptor.
That said, I don't believe this is exactly our source. Based on hardware release timelines, I would expect to see ours within the next 1-2 months.
EDIT: Following up, I would expect to see our source contain files like: arch/arm/mach-msm/board-desirec-xxxxx.c
As currently these device-specific files (board-heroc-xxxx.c) are explicitly built in the Makefile by the CDMA Hero specific switch (CONFIG_MACH_HEROC).
pinksocker69 said:
I can confirm that the CDMA Hero source makes reference to our device specific flag (CONFIG_MACH_DESIREC) in a couple different places (all in arch/arm/mach-msm/). It is worth noting that almost all the same references were found in the original Hero source. The only thing that has been added for our architecture alone was an isCDMA flag in what appears to be USB descriptor.
That said, I don't believe this is exactly our source. Based on hardware release timelines, I would expect to see ours within the next 1-2 months.
EDIT: Following up, I would expect to see our source contain files like: arch/arm/mach-msm/board-desirec-xxxxx.c
As currently these device-specific files (board-heroc-xxxx.c) are explicitly built in the Makefile by the CDMA Hero specific switch (CONFIG_MACH_HEROC).
Click to expand...
Click to collapse
That may be true, but your biggest obstruction right now is unable to root the phone. It's possible that, although the phone section itself isn't exact, the rest of the kernel may be a match. If so, you may take a look for any vulnerabilities that you can use to root the phone.
tkirton said:
That may be true, but your biggest obstruction right now is unable to root the phone. It's possible that, although the phone section itself isn't exact, the rest of the kernel may be a match. If so, you may take a look for any vulnerabilities that you can use to root the phone.
Click to expand...
Click to collapse
We know that the CDMA Hero is vulnerable to the Bluetooth socket/sendpage local root escalation, which the Eris is not vulnerable to. That alone is enough to make me bench it for now.
how would you go about finding a kernel exploit?
laxattack said:
how would you go about finding a kernel exploit?
Click to expand...
Click to collapse
Tenacity. Deep knowledge of the linux kernel. Tracing through HTC's custom code and hoping to get lucky.
I know I'm probably not up for finding and writing my own exploit. Tracing through the VMSplice exploit was like looking at a book written in Chinese, and I don't consider myself awful at C. The bluetooth socket/sendpage bug was much more readable, but also a once-in-a-blue-moon exploit, I think. If someone else found an exploit, I think I'd be in at least an okay position to try to port and modify it to suit our needs, but that's about it.
me + linux, C, or code in general = :-( so that bubble just popped, lol, but my friend is a wiz at linux so time to send him the cdma hero source just for giggles, hey you never know
True! Just let him know that the major security holes (bluetooth/sendpage and vmsplice in particular; you'll see binaries exploiting these in the Hero forums referred to as asroot and asroot2) have already been patched for our phone. Thanks for bringing another into our fold!
With the IT press getting hold of information regarding the Droid X (Slashdot story here) I thought I'd start a thread regarding this significant find.
As of posting, this is not confirmed. There's no credible source for this information yet, just a community hacker like most of us. If anyone finds better sourced information, post it here.
Mods: Might want to sticky this one
From the /. article:
"If the eFuse failes to verify this information then the eFuse receives a command to "blow the fuse" or "trip the fuse". This results in the booting process becoming corrupted and resulting in a permanent bricking of the Phone. This FailSafe is activated anytime the bootloader is tampered with or any of the above three parts of the phone has been tampered with."
EDIT: I understand there have been threads about this already, but they've moved down the rankings. Lots of people will be looking for information on this topic, and there doesn't seem to be any. A single thread for discussion and information posting seemed appropriate.
Go to boygeniusreport.com, scroll down and find "Reality Check: Modding the DROID X may not lead to a bricked phone."
eFuses have been in phones with TI's OMAP processors for a while now, but they have not been used to brick phones because of custom modifications to the phone. The phone still has an encrypted bootloader which will be hard to crack like just like the Milestone's but it doesnt necessarily mean that the eFuse will trip if the bootloader messed with.
Again, this is still an educated speculation and cant be confirmed until someone goes around and finds a way to unlock the bootloader and flashes a custom ROM on it (hopefully successfully )
i applaude companies that try to beef up security for their own sake. It's sort of like with the PSP, old Xbox, and Wii. They are just trying to protect their own business
We just need to worry about root for now...
Sent from my DROIDX using XDA App
The possibility of eFuse bricking your phone: officially debunked.
http://www.engadget.com/2010/07/16/motorola-responds-to-droid-x-bootloader-controversy-says-efuse/
storino03 said:
i applaude companies that try to beef up security for their own sake. It's sort of like with the PSP, old Xbox, and Wii. They are just trying to protect their own business
Click to expand...
Click to collapse
Gay
Sent from my Samsung Galaxy S using the XDA App.
WARNING
The topics discussed below are THEORETICAL only, and don't imply real world feasibility.
WARNING
That being said, let me test my understanding of how the system works:
The Droid 2 has a 'locked bootloader'. This means that the kernel has an RSA signed hash. THEORETICALLY, one could break the RSA key into its two component primes to determine the private key and enable anyone to sign a kernel correctly, thereby allowing custom kernels on the device.
If this is the case, where does the eFuse technology come into play? Is it merely a means of hard wiring the correct hash into the phone?
Also, assuming the above is correct, where can one find the public key used in the RSA key pair for the Droid 2? Thank you for your time.
I actually thought of this a couple months ago, but never got around to asking, I'd like to know also.
Can anyone confirm at least the first part of my understanding? Is there a common encryption key across all devices of the same make, or does that change within models? For example, If you knew the encryption key for a single Droid 2, does that mean you know the encryption key for every Droid 2?
Again, thanks for your time.
noctolater said:
Can anyone confirm at least the first part of my understanding? Is there a common encryption key across all devices of the same make, or does that change within models? For example, If you knew the encryption key for a single Droid 2, does that mean you know the encryption key for every Droid 2?
Again, thanks for your time.
Click to expand...
Click to collapse
Think about it. If it were really that simple, don't you think the Devs would have unlocked it by now?
DeBaKai said:
Think about it. If it were really that simple, don't you think the Devs would have unlocked it by now?
Click to expand...
Click to collapse
Even using the General Number Field Sieve, which is the best known large integer factorization method currently available, it took a group of researchers 2 years to crack a 768-bit key in 2009 (look up RSA numbers). Every bit you add doubles the difficulty of the problem, meaning a 1024-bit key would be 10^77 times harder to crack. By their estimations, it will be feasible in roughly ten years time.
So no, I don't think the Devs would have unlocked it by now. And this is why this is a THEORETICAL discussion, instead of a practical one. I understand that what I am talking about is probably not possible at this time, I just want to make sure I fully understand how the manufacturers are locking down the phones. Thanks for you time.
I understand what you are saying (and for the record, your reasoning is accurate) but even theoretically it is pretty improbable (almost impossible without aid from Moto).
You could have just as easily done some research to find your answer. Although interesting, this topic is somewhat redundant.
DeBaKai said:
I understand what you are saying (and for the record, your reasoning is accurate) but even theoretically it is pretty improbable (almost impossible without aid from Moto).
You could have just as easily done some research to find your answer. Although interesting, this topic is somewhat redundant.
Click to expand...
Click to collapse
I did do research, about a weeks worth of Google searches, before I posted this. I couldn't really find any concise locations of information, so my knowledge is piecemeal at best. I just want to test my understanding of the concepts, even though it serves no practical purpose.
That being said, if you have any links to concise descriptions, I would be more than happy to see them
Fair enough. Although I think it may take a while before you get your answer.
Unfortunately, my knowledge in this particular subject is limited. I'm not going to be of any real help. Good luck with this, though.
Hi Everybody,
so i was looking at the teardown for our little baby, when i came across this:
Toshiba THGBM5G6A2JBAIR 8GB Flash
So i went online and do a little search. It turns out that Toshiba builds other sizes of this particular chip.
Looking at the specsheet, it seems that every single spec is the same (can't post the link yet)
So i was wondering if we can replace this damn chip (since i'm stuck with an 8gb version of the Nex 4 (Yeah..since they don't sell in Italy...i had to find a compromise) I know it would take a lot of soldering works, but the real problem is: How to install the OS and stuff?
So i'm planning to ger one of this chips, or a broken phone with one of this (from 16 to idk) and try to do some research, in order to get if i can do this substitution.
So..anyone tryed this before that can help me out with some advices?
Thanks everyone and for the mods...if this is not the right place to post this, i'm sorry...:angel::angel::angel:
p.s.
Sorry for my bad English
Don't attempt to replace the chip with a soldering iron. You need someone with a dedicated SMT rework station that can handle BGA devices. (this chip is a VFBGA according to the datasheet).
Even then, it may not boot at the end of it... Be prepared to have a bricked phone... On the other hand, if it works, you may be able to make a buisness out of selling 32GB Nexus 7's until Google/LG makes them....
Basically, it's not something an end user could do.
Ok, so since is a BGA device, reballing and reflowing should do the trick.
I know that is something that an end user shouldn't do...but give it a try should be nice...of course i would not go straight for the replacement on the n4, i will start with something else before.
Installing it is one thing, it's getting the important stuff on there that is the problem.
It's not a case of just fastboot flash, since there are more partitions than that.
Plus you need fastboot to be there in the first place, JTAG would probably cover that, but the rest? God knows.
Yeah..that's my problem afterall...i mean..put the chip on that is kinda fine..i mean i do this on notebooks so i'm used to reballing and stuff.
But the OS thing is going to drive me mad...meh..need to figure out how to do that!
Just don't do it. You're gonna regret it. Laptops is one thing but a cellular device is another. Chips are way smaller and complicated. It's not as easy as you may think.
But it's your phone, you can do whatever you like to it.
This is retarded. You realize those connectors are so small it requires machines worth millions of dollars to attach and connect. Might as well use some Elmer's glue or a hot glue gun if you're gonna do it yourself, or hey maybe even some ear wax, you'll get the same result.
Ok, nevermind.
I'll do some tests with my machine and some old crappy phone...u never know what is going to happen..lol
Tnx anyway guys!!
Everyone else here is an unambitious ass
DragGuardiano said:
Ok, nevermind.
I'll do some tests with my machine and some old crappy phone...u never know what is going to happen..lol
Tnx anyway guys!!
Click to expand...
Click to collapse
Dude you shouldn't let people detour you, soldering chips is not that hard and the size of the chip doesn't really make a difference for BGA most of these guys probably have never soldered a BGA chip in their life so how would they know how hard it is. I would suggest that you practice on some old pcs or an old game system that you dont care about. the hard part about this would be getting your hands on the new chip (and weather or not it is pre-balled because re-balling is a *****), from what I can tell toshiba only will sell the chip in a minimum quantity of 5 chips per order so if all goes well you may be able to charge people to upgrade their nexus 4s.
People are to scared now-a-days to get their hands dirty and take risks to get what they want and I commend anyone willing to put in the time, learn a new skill, and get what they want even though no one will just give it to them.
I hope you decide to do this anyway.
PS. The bootloader/recovery should be a separate memory module all together and should still exist when the chip is replaced, so if I had to guess i would say that you could just flash a new rom assuming your bootloder is unlocked and the chip comes pre-formatted.
Everything is held on the eMMC chip, nothing is separate.
This whole issue with the Sprint variant of the LG G3 lacking a viable root method has me extremely pissed off.
Not at Sprint or LG. I recognize that it's not in their best interest to make or sell phones that can allow root access with a simple button press. The damage that the average phone user could do would bring their tech support services to a standstill.
Of course, I'm not pissed at the XDA developers. Most of these guys do it for the challenge, and it's not a cheap hobby. Throw in minor distractions like jobs and family issues, and it's easy to understand why they don't jump when people demand that they throw their undivided attention at a device that they may or may not ever really use.
No... I'm pissed at myself. I'm annoyed at my lack of initiative, as I sit around watching the weeks roll by waiting for someone to find a solution to a problem I may be capable of solving. Don't get me wrong... I'm no rocket surgeon who thinks I can do whatever I want through sheer will power. I respect and appreciate the difficulty of developing in the Android ecosystem. But, I also realize that all these developers started somewhere, and all it took to start the ball rolling was the desire to make devices do exactly what they wanted.
Back about 25 years ago, MAME was in it's infancy (it's an arcade game emulator... look it up). I was hoping that someone would make a decent full-size MAME cabinet that would accurately simulate the look and feel of an actual arcade game. After a year of waiting, I lost my patience. I bought a donor cabinet, reverse engineered a front-end that I thought showed promise, and started reading... A LOT. It took a lot of soldering, and trial and error but I ended up with something that I felt was better that anything I'd seen previously. In hindsight, it kinda sucked, but 6 versions later I had a polished arcade emulator that I still own and it's a proud centerpiece of my rec-room. The point of this in not to blow my own horn, but to illustrate that with the right initiative and ability to perform a Google search I could make something that I wanted without having to rely on others. Granted, I did have to rely heavily on the countless people who took the time to document their own technical experiences, but they put it out there for a reason.
I don't expect everyone to follow my lead, but I'm hoping to possibly light a fire under a few people who might have felt the occasional urge to get under the hood of their Android device. If anyone can point me toward a good starting point for developer education, I'd be greatly appreciative. I'm dying to get going on this, and I realize that there will be a root method for my phone looooong before I can even tweak the most elemental code. BUT... I'm hoping that I might be able to help myself and others when I buy my next device, and I challenge anyone who's managed to read all of this novel to do the same.
Might want to fix that ENTER key first.. Your message is good but I have this image of someone frothing at the mouth with the rambling and lack of structure.
I think things like ROOT and bootloader unlocks are a bit beyond the casual hacker these days though.
RHall1340 said:
I think things like ROOT and bootloader unlocks are a bit beyond the casual hacker these days though.
Click to expand...
Click to collapse
For the most part, yes. But the exploit that allows root via PurpleDrake is so simple I bet even I could have connected the dots if I had known about the alternate recovery. It was essentially an open door. Of course, I have the benefit of hindsight and I'm still just speculating because I understand how that method works as far as what adb would show about which directories were mounted RW. Knowing what was actually going on in that environment regarding the backup service and how the temp directory was handled by the recovery system took somebody with deeper knowledge and the means to analyze the system behavior.
jcase said himself that he's invested thousands of dollars in hardware that let's him do exactly that, not to mention the hours he and others put in. Like you said, vulnerabilities are getting harder to find with every release, patch, update, etc. And I'm just talking about getting enough access to the file system to slip in the su binary. I don't even know how one could attack the bootloader.
Sent from my LGLS990 using XDA Free mobile app