Related
Hallo everyone,
to unlock the bootloader on the P8 lite is a individual code necessary and I'm asking me, if is possible to change the code. Has everyone information about the encryption methods of the Stock bootloader? I'm currently waiting for my code to unlock the bootloader and root the device.
Thanks and best regards,
Pucciano
We mentioned a few times before, you don't have to wait for the response. I sent my email to them about 1 month ago, still no reply.
This is only works for the ALE-L21 model, by the way:
Get this program, and extract it somwehere, then open it.
In the program, select HUAWEI C8812 and enter your IMEI. It'll give you a Product ID. Copy that ID.
Now open this site, and fill it out:
-Type: Smart Phone
-Model: HUAWEI C8812
-Serial: Settings->About phone->Status scroll to bottom.
-IMEI: Settings->About phone->Status scroll to bottom.
-Product ID: the one, you've generated a moment ago.
-Verification code: as shown on the picture.
Thats it. You should get your code instantly, if your press Submit.
I know, but for the online tool is a mobile Account necessery and don't work with an email regretted Huawei ID. And only a couple of Asia country's ar supported. I try some free SMS receive services but there numbers are consumed (only two codes in 6 months) I have to wait if one of them get free or order an Hong Kong prepayed SIM card. But my question is, it's possible to change the code or bypass it? Thanks
I wasn't able to register either, but the social login via Facebook works just fine. Give it a shot login with your Google+ or Facebook account, it should let you in.
Okay, i don't know that's possible with an Social media account. I try this today's evening. Back to my core question: If I get the Code, if is possible to change it?
Thanks Ante
I think it's not possible to change it without unlocking your phone at least once, but after unlocking, you'll not need the code again, so there's no point in changing the code at all.
The bootloader will remain unlocked, and I haven't found a way to relock it again.
I tried these commands:
Code:
fastboot oem lock 16digit_code_here
AND
fastboot oem relock 16digit_code_here
Sadly non of them worked.
Okay, i copy that but I think it`s sounds bad. I only open the bootloader of an device to root it or to install a custom ROM. After I finished my work I close it to prevent hijacking or bypass my device encryption keys. Btw I have only use nVidia Shield Tabs and there are Dev friendly. At the point when you open the bootloader all data is wiped! Is this on all Huawei device? I think I looking for a new device. The new Lumia 950 sounds good, but Windows? I hope there are possible to open the bootloader and install Android with an custom Kernel ?
For bussiness use I only recommend Microsoft phones or iPhones. These are well protected all round, almost with no customization options and the system works so well by default you don't even need it at all.
For personal use, I recommend Android. The most customizable OS nowadays.
As I said, my bootloader is unlocked, and I was afraid to lose all my data as well, but everything was in place after the unlock.
The Huawei crew is pretty developer friendly, I think. They put out the kernel sources, made the bootloader unlockable via the site(yes, it's not fully functional, but hey )
I've had a S3 mini before this and we had to beg for Samsung to release some drivers in order to get CM11 working fully.
I don't trust Microsoft in this case. A whole OS for free as a upgrade? Come on, realy? There are much more behind the scene as you and i can see. Windows 10 talk a lot with unknowen Servers. Try it yourself: Install Win 10 as a VM, disable all settings in the privacy settings and capture all with Wireshark. You see a lot of encrypted connections to unknowen (by RIPE, not Microsoft) IP addresses. Apple earn his profit with selling hardware, Google with seling Ads based on user Data and Microsoft with seling Software. I like the hardware of the 950, but it be only usefull for me when i can install any linux based operating system.
But enough oftopic
I have give away my Huawei P8 lite and looking around for a new one, but out there is not "my perfect" device.
I remember, reclosing and changing bootloader code are (currently) not possible.
Thanks for the conversation daviddosa
after 7 weeks of experience of using htc android with a htc 626 a32_ul Europe phone , thinking that android os was an open os i thought it would be easy to root hardware to enable full access to hardware that is available to me, but what do i find but some additional security s-off system to protect me from malware attacks to my system, but find that other than paying for some third party offer from sunshine , i am not able to take total control of my system with personal password protected superuser control, instead i am left open to single click offers of rooted device that offer rooting roms with conditions to supply info that gives rise to weekley charge for special offers to mobile service provider or get data passed to landlines for special offers to update my service, also due to searching for methods to root phone , i inherited a virus form of kinguser_su that i am unable to remove without custom rom or rooted device so now i have phone which is open to abuse from some foreign invader using kinguser su or pay extra to sunshine to make full use of my phone, i have paid for phone upfront open to use on any 4g provider, but without ruu to clean my system from this kinguser su im stuck in limbo until i gain ruu for my device or find custom rom to gain full su control of my device, if i had known this before i would just brought a samsung device that was more open to being rooted.
no replies doesn't anyone reliese that without s-on , it would be simple case to unlock boot-loader get developer privileges and gain root access then u have full control of your hardware, but no htc leaves us owners subject to highwayman cyber terrists of makers of sunshine to make gaining superuser acccess to our hardware, i would rather have control of my super user access to my hardware with my own personal password than have some some third party able to control my superuser access to my hardware, i want my hardware protected by my own password system than by some s-on system that is already able to be broken if u pay for it.
what is my point here
1 ) we as owners of the hardware we have paid for should have full use of the hardware we paid for and use our own password for protection with the help of s
_on or s_off service,
2) we as owners have no right to make use of our hardware, and the makers of our phone are allowed to make hardware that isnt able to be protected from others, unless we pay a third part to gain access to superuser control. (ie sunshine)
just answer 1 or 2 will be fine for stat test feelings of users of htc phones.
S-Off will only give u full software access to radio and h-boot files that are not writable if your s-on. And you can still root and have supersu with s-on. If all HTC phones came with s-off, than noobs will try and experiment and hard brick their device for messing with files they shouldn't have mess with in the first place.. Especially if you're not a professional developer and an encoder for HTC devices.
Dont listen to my post I made a mistake kdayyy will help you.
f1tzg3r4ld said:
The RUU was available for my phone at the HTC Dev website. Just select your phone in the settings on top. I downloaded it installed C++ 2008 redistribute-able package for my version of windows for the RUU to work properly and was able to fix my soft bricked phone. S-Off only gave me more access and ability to change phone settings and use my sd card for installation of apps to SD. If u need any help getting the RUU to fix your phone or help rooting your phone I will be willing to help you but i suggest searching the forums as I was able to find every resource I needed. Also check out lookout security that comes on these phones it can scan and remove malware. And as always Make sure you have a backup of your phone before trying to do anything such as rooting or s-off. If something goes wrong you can just reinstall the backup and be fine. Also sunshine is available for these phones and i have used it on my desire 610 and it worked great and was easy to do.
Click to expand...
Click to collapse
You can do all that without s-off, what are u talking about? And your link directs to kernel source code and binaries for anyone that wants to build for 626s device. The OP has a European model 626s and as of right now HTC devs don't have RUU for it. Dude is stuck until someone from Europe build a rom for a32_ul or HTC comes out with a RUU for a32_ul and he would have to match his carriers firmware also.
i have made copy of htc a32_ul android 5.1 android qualcomm 410 chipset system directory, i have treid almost every way i can think to make a system.img file to make emulator so to then make a twrp recovery.img , and tried everything i can to cook such file, but without success, i can upload copy of system file for anyone to use, i just want a working system.img file to work with to make a recovery.img, or some sort update.zip that give me access to root commands to this phone.
all i have is copy of the system directory., and can copy any other files now that needed from phome that needed to make system.img or update.zip, but dont know how at moment to continue without help or i flucik it out some time
any help i be glad of thanks
regards frankgambit
You are right I posted the wrong link. Removed post, had several windows open.
LG G5 VERIZON VS987
Unofficial bootloader unlock
In-Progress
This is a project to disassemble and rebuild an unlocked aboot that passes the sbl loader test, thus allowing installation of custom kernels, read/write access to system, TWRP recovery, and custom ROMs. You can follow the progress or ask questions about it here, or offer your help to make my life a little easier. Donations help, too, especially to maintain the machine these VMs and tools run on.
PHASE 1 - RAMDISK EXTRACTION: DONE
(Attachment 2 & 3): I have extracted the ramdisks from the KDZ bin data. I have the ramdisks and accompneying kernel files in tar files.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
PHASE 2 - TARGET DISASSEMBLY: DONE
(Attachment 1): I have disassembled the ELF binaries. objdump is sloppy, but I was able to get to the branch instructions and find my offsets for each subroutine. I also located the factory signature data for verification by sbl.
PHASE 3 - CERTIFICATE EXTRACTION: IN-PROGRESS
Extracting and parsing the PCS data. It's needed for verification by the sbl to avoid security fail when booting a modified aboot.
PHASE 4 - UNLOCKING NEEDS DONE
Re-coding aboot to accept a bootloader unlock, and access to fastboot.
PHASE 5 - RECOMPILATION AND TESTING (ABOOT)NEEDS DONE
Re-building the aboot binary and testing it.
PHASE 5 - LITTLEKERNEL AND SYSTEM ACCESS (BOOT)NEEDS DONE
Puling apart stock kernel, grabbing needed modules, disabling SELinux and dmverify.
Analysing system image, removing boot-time LG security checks, applying root.
PHASE 6 - TWRP BUILD (RECOVERY) NEEDS DONE
Building user-friendly recovery image.
PHASE 7 - BUILD TOT FILE NEEDS DONE
Package it all into an LGUp Flashable TOT and release.
If you would like to help with this project, please make yourself known.
If you would like to donate to show thanks, the button is underneath my name or in my profile.
If you have a comment or can leave documentation or advice, do so below
Nice.. Hoping for the best
LupineDream said:
LG G5 VERIZON VS987
Unofficial bootloader unlock
In-Progress
This is a project to disassemble and rebuild an unlocked aboot that passes the sbl loader test, thus allowing installation of custom kernels, read/write access to system, TWRP recovery, and custom ROMs. You can follow the progress or ask questions about it here, or offer your help to make my life a little easier. Donations help, too, especially to maintain the machine these VMs and tools run on.
PHASE 1 - RAMDISK EXTRACTION: DONE
(Attachment 2 & 3): I have extracted the ramdisks from the KDZ bin data. I have the ramdisks and accompneying kernel files in tar files.
View attachment 4016279
View attachment 4016280
PHASE 2 - TARGET DISASSEMBLY: DONE
(Attachment 1): I have disassembled the ELF binaries. objdump is sloppy, but I was able to get to the branch instructions and find my offsets for each subroutine. I also located the factory signature data for verification by sbl.
View attachment 4016278
PHASE 3 - CERTIFICATE EXTRACTION: IN-PROGRESS
Extracting and parsing the PCS data. It's needed for verification by the sbl to avoid security fail when booting a modified aboot.
PHASE 4 - UNLOCKING NEEDS DONE
Re-coding aboot to accept a bootloader unlock, and access to fastboot.
PHASE 5 - RECOMPILATION AND TESTING (ABOOT)NEEDS DONE
Re-building the aboot binary and testing it.
PHASE 5 - LITTLEKERNEL AND SYSTEM ACCESS (BOOT)NEEDS DONE
Puling apart stock kernel, grabbing needed modules, disabling SELinux and dmverify.
Analysing system image, removing boot-time LG security checks, applying root.
PHASE 6 - TWRP BUILD (RECOVERY) NEEDS DONE
Building user-friendly recovery image.
PHASE 7 - BUILD TOT FILE NEEDS DONE
Package it all into an LGUp Flashable TOT and release.
If you would like to help with this project, please make yourself known.
If you would like to donate to show thanks, the button is underneath my name or in my profile.
If you have a comment or can leave documentation or advice, do so below
Click to expand...
Click to collapse
Nice to know there is people working on an unofficial bootloader unlock for the lg g5 good job !
I would also like to ask a question if you don't mind : once done, does this variant of the g5 is similar enough to some variants to be able to "port" the unlock or the approach is too specific to the variant ?
Im currently grabbing a more android build-friendly release of Xenial. Google does not support building from a x86 OS. When I tried to git the "official" google toolchain in consideration of doing things 100% correct in a VM, I ran into the dreaded "x86 build host unsupported" problem. The VM host I am grabbing is here: https://forum.xda-developers.com/chef-central/android/guide-how-to-setup-ubuntu-16-04-lts-t3363669 I am going to need the google build source for the kernel, plus the makefiles for the generic arm v7a neon arcitecture. Best do it all the right way instead of having to re-do it all later.
In the meantime, I am cramming some thumb-2 tutorials. La la la~
nalf3in said:
Nice to know there is people working on an unofficial bootloader unlock for the lg g5 good job !
I would also like to ask a question if you don't mind : once done, does this variant of the g5 is similar enough to some variants to be able to "port" the unlock or the approach is too specific to the variant ?
Click to expand...
Click to collapse
I'd have to check the aboot and boot / kernel to see if there's any major differences. Since this is a direct aboot disassembly, it's varient specific, but I will surely be checking if the approach can be applied to different varients' booters via scripting or some such thing. It would mean coding of a patchfile and a TOT builder, adding an entire extra level of complexity, but I'll get to your answer as soon as I have finished with this model.
Howdy there,
Looks like you're attempting to modify an element in the Qualcomm Secure Boot chain (aboot in this case) - unfortunately what you're trying to do won't work.
I don't want to rain on your parade here, or discourage you from learning something for the sake of learning it but simply modifying a component of the boot stack by recompiling it and slapping the same signatures on it isn't possible.
I'd recommend you take a look at any of the awesome posts on XDA about how the Secure Boot 3 (is there a newer version?) process works as you'll see that each step in the boot process (pbl -> xbl -> {tz, rpm} -> aboot) is verified using RSA public/private key signatures.
You won't be able to simply extract the certificate chain from the old aboot (LK) image and append it to your source-built LK, as the hash embedded in the certificate chain won't match the computed hash of the LK application.
Your next thought would be "what if I could find where the validation function is called and replace it?", but you'll find that each step in the boot process calls TrustZone's secureboot verification functions which rely on data stored in qFuses.
Even then, the function TrustZone itself calls is actually provided by PBL and is burned into the chip itself.
Essentially, the path you're trying to take is one that Qualcomm has thoroughly hardened the boot process to protect against.
I'm not trying to discourage you from learning, since doing this sort of reverse engineering is very fascinating and a fun learning exercise - I just want to let you know that if you try to flash a modified aboot image that you'll end up with a brick (and no way that I'm aware of to recover short of soldering up some UFS lines and reflashing like that since iirc even JTAG is disabled now and we lack signed programmers for USB recovery).
Check out one of the Secure Boot PDFs that are available on Google/XDA and you should see what I mean.
Best of luck to you, and happy learning!
LupineDream said:
(Attachment 2 & 3): I have extracted the ramdisks from the KDZ bin data. I have the ramdisks and accompneying kernel files in tar files.
View attachment 4016279
View attachment 4016280
PHASE 2 - TARGET DISASSEMBLY: DONE
(Attachment 1): I have disassembled the ELF binaries. objdump is sloppy, but I was able to get to the branch instructions and find my offsets for each subroutine. I also located the factory signature data for verification by sbl.
View attachment 4016278
Click to expand...
Click to collapse
Like thecubed said, by flashing a modified aboot you'll brick the device, but the fact that you figured out how to extract the aboot image is EXTREMELY impressive! If you wouldn't mind it would be very helpful if you make a guide on how you did that or if you could post your extracted aboot files that would be much much appreciated An insight on how aboot for the G5 works would be something very nice to have
thecubed said:
Howdy there,
Looks like you're attempting to modify an element in the Qualcomm Secure Boot chain (aboot in this case) - unfortunately what you're trying to do won't work.
I don't want to rain on your parade here, or discourage you from learning something for the sake of learning it but simply modifying a component of the boot stack by recompiling it and slapping the same signatures on it isn't possible.
...
[ removed in quote ]
...
Best of luck to you, and happy learning!
Click to expand...
Click to collapse
Thank you for the inspiration. The task has been a thorough crash-course in arm v7a NEON Cortex technology and thumb-2 assembler. I was concerned when I saw the TrustZone documentation from ARM and the ACEP (Arbitrary Code Execution Prevention) stack. Your mention of qfuse brings back memories of the Samsung "Golden Routines" folly.
Unfortunetly I wasn't a backer of the Raspberry PI, but there are other PCBs with GPIO pins. My reason for mention this is the JTAG connundrum you mentioned. It is null and void to a soldering gun, a few resisters ($2-$3, and the on-chip ARM debugging interface included in most integrated ARM chipsets. PCBs that run Linux with a GPIO pin array are the cheapest and most flexable solution to an expensive piece of lab / R & D equipment (JTAG), and the impact on the bank account is a fraction of what it would cost the end-consumer.
Hash collisions and backprop neural nets. What? OK, I'll explain. Most reverse engineering begins with monitoring the usual operation of the device as you are aware. Approach 1 involves training a backpropping neural network to recognize (within a reasonably less amount of computation) a hash collision. Of course, you aren't going to be getting to these pre-coded hashes without breaking the RSA chain (thats 100 zeros O__O ) , this is fixed by monitoring the debug interface we both mentioned earlier, at power-on. ARM processors work such that they cannot do DMAC (direct memory access computation), so the values need to be pushed into registers and acted on as plain byte, then pushed back to memory. Sniff, find out what's coming to/from the qfuse memory bus area into registers, dump the data, and you'll have your root CA with luck. You'll be looking for the in operand, that is, the one that is to be acted on in the cipher that is incoming from qfuse. Cycle-timing to ignore the rest of the computations for this byte, you're basically waiting until qfuse pushes the next byte of its keys into a register and grabbing it in the same cycle the instruction is working on it.
That said, with a $100 and a soldering gun and a laptop, you have your RSA key direct from CPU memory via the debug interface. After you've got your root CA, would it be feasable to start decrypting the intermediate CA chain for each component of boot until you get the hash? In theory this should work without brute-force, but a lot of time in a code window and with an oscilliscope. Once you've had the decrypted hash, you can begin to look for a hash collision. There are open source tools that will find hash collisions in an hour or less using neural nets. Write an aboot that complies to this hash collision, flash it, and qfuse will not be able to tell the difference.
Thats my theory on exploiting the fact ARM needs to do its computations in an area that is accessable to the debug interface. Of course my theory falls apart if the TrustZone chipset has its own processor.
Honestly Annoying said:
Like thecubed said, by flashing a modified aboot you'll brick the device, but the fact that you figured out how to extract the aboot image is EXTREMELY impressive! If you wouldn't mind it would be very helpful if you make a guide on how you did that or if you could post your extracted aboot files that would be much much appreciated An insight on how aboot for the G5 works would be something very nice to have
Click to expand...
Click to collapse
I'd be okay with writing such guide as long as it followed community guidelines. I should not be posting disassembled code and analysis if it's against the rules to do so. If a mod could clear this for me....
After searching around I located the true specs for the G5. It's a Snapdragon 820 SoC. It runs the new ARM v8A instruction set.
More detailed information here -> http://www.tomshardware.com/reviews/snapdragon-820-performance-preview,4389-2.html.
More specifically, it's on the msm8996 platform: http://system-on-a-chip.specout.com/l/1170/Qualcomm-Snapdragon-820-MSM8996
Phones with this arcitechture: https://www.kimovil.com/en/list-smartphones-by-processor/qualcomm-snapdragon-820-msm8996
Xiaomi Mi5 has official bootloader unlock via a tool (reverse engineer to work with our platform?)
HTC 10 bootloader on certain models can be oem-unlocked.
Lenovo ZUK Z2 bootloader can be oem-unlocked
LG V20 bootloader can be oem-unlocked, and is the closest in hardware to our G5!
Perhaps stealing a kernel and boot from a similar varient that allows it, signing it with our key, hash-matching it? It all runs on the same platform with the same instruction set. Most of these phones have unlockable bootloaders.
I'd say the best target would be that unlock tool by Xaoimi. Its usually the third party vendor's tools you can find the biggest security holes in. xD From their documentation, it isn't an "enable OEM unlock" switch in Developer Options used to enable the unlock, the tool itself actually works on the bootloader. Perhaps the tool uses a feature of the MSM8996 we aren't aware of. It's worth looking into.
LupineDream said:
Thank you for the inspiration. The task has been a thorough crash-course in arm v7a NEON Cortex technology and thumb-2 assembler. I was concerned when I saw the TrustZone documentation from ARM and the ACEP (Arbitrary Code Execution Prevention) stack. Your mention of qfuse brings back memories of the Samsung "Golden Routines" folly.
Unfortunetly I wasn't a backer of the Raspberry PI, but there are other PCBs with GPIO pins. My reason for mention this is the JTAG connundrum you mentioned. It is null and void to a soldering gun, a few resisters ($2-$3, and the on-chip ARM debugging interface included in most integrated ARM chipsets. PCBs that run Linux with a GPIO pin array are the cheapest and most flexable solution to an expensive piece of lab / R & D equipment (JTAG), and the impact on the bank account is a fraction of what it would cost the end-consumer.
Hash collisions and backprop neural nets. What? OK, I'll explain. Most reverse engineering begins with monitoring the usual operation of the device as you are aware. Approach 1 involves training a backpropping neural network to recognize (within a reasonably less amount of computation) a hash collision. Of course, you aren't going to be getting to these pre-coded hashes without breaking the RSA chain (thats 100 zeros O__O ) , this is fixed by monitoring the debug interface we both mentioned earlier, at power-on. ARM processors work such that they cannot do DMAC (direct memory access computation), so the values need to be pushed into registers and acted on as plain byte, then pushed back to memory. Sniff, find out what's coming to/from the qfuse memory bus area into registers, dump the data, and you'll have your root CA with luck. You'll be looking for the in operand, that is, the one that is to be acted on in the cipher that is incoming from qfuse. Cycle-timing to ignore the rest of the computations for this byte, you're basically waiting until qfuse pushes the next byte of its keys into a register and grabbing it in the same cycle the instruction is working on it.
That said, with a $100 and a soldering gun and a laptop, you have your RSA key direct from CPU memory via the debug interface. After you've got your root CA, would it be feasable to start decrypting the intermediate CA chain for each component of boot until you get the hash? In theory this should work without brute-force, but a lot of time in a code window and with an oscilliscope. Once you've had the decrypted hash, you can begin to look for a hash collision. There are open source tools that will find hash collisions in an hour or less using neural nets. Write an aboot that complies to this hash collision, flash it, and qfuse will not be able to tell the difference.
Thats my theory on exploiting the fact ARM needs to do its computations in an area that is accessable to the debug interface. Of course my theory falls apart if the TrustZone chipset has its own processor.
I'd be okay with writing such guide as long as it followed community guidelines. I should not be posting disassembled code and analysis if it's against the rules to do so. If a mod could clear this for me....
Click to expand...
Click to collapse
Hello again!
Regarding your points:
JTAG is disabled on most production devices, as in 100% inoperable. No amount of soldering will enable it. I'm sure there are some exceptions to the rule, but in this case I'm fairly confident in saying that the JTAG interface on the G5 is unusable.
...even if JTAG was enabled, the Qualcomm Secure Boot stack is designed to protect itself from the exact type of attack you're describing here. The component of TrustZone that is doing the verification of boot images is not running in anything that is JTAG-accessible, and to my understanding it's not even running in the main ARM core.
Re: hash collisions and neural nets... What you're describing sounds neat in theory, but in application (again, to my knowledge) won't work. I suggest you read up on how RSA works.
RSA is public/private key cryptography - in this case, the certificates contained on the phone are the public component, and LG/Qualcomm are the only ones with the private component. "Extracting the CA" will yield the public portion that is only useful for verifying signatures, not signing them.
The only way you'd be able to sign anything and have the phone trust it is to either a) replace the CA on the phone (not possible, it's burned into qFuses) or b) obtain the private component of the CA or any of it's subsidiaries (also burned into qFuses)
CA chains aren't encrypted, they're just a list of things that the device will accept a signature for. In our case it's Qualcomm as the Root CA, then LG as an intermediate (and possibly a few other intermediates to allow OTA updates to come from differing builders/engineering teams within LG). Again, extracting the 'hash' of a CA will do no good here, as there's no meaningful collisions that can be generated and still be a valid boot image. I'm not the best person to explain RSA in depth, so I'd really recommend doing some further research on it.
LupineDream said:
After searching around I located the true specs for the G5. It's a Snapdragon 820 SoC. It runs the new ARM v8A instruction set.
More detailed information here -> http://www.tomshardware.com/reviews/snapdragon-820-performance-preview,4389-2.html.
More specifically, it's on the msm8996 platform: http://system-on-a-chip.specout.com/l/1170/Qualcomm-Snapdragon-820-MSM8996
Phones with this arcitechture: https://www.kimovil.com/en/list-smartphones-by-processor/qualcomm-snapdragon-820-msm8996
Xiaomi Mi5 has official bootloader unlock via a tool (reverse engineer to work with our platform?)
HTC 10 bootloader on certain models can be oem-unlocked.
Lenovo ZUK Z2 bootloader can be oem-unlocked
LG V20 bootloader can be oem-unlocked, and is the closest in hardware to our G5!
Perhaps stealing a kernel and boot from a similar varient that allows it, signing it with our key, hash-matching it? It all runs on the same platform with the same instruction set. Most of these phones have unlockable bootloaders.
I'd say the best target would be that unlock tool by Xaoimi. Its usually the third party vendor's tools you can find the biggest security holes in. xD From their documentation, it isn't an "enable OEM unlock" switch in Developer Options used to enable the unlock, the tool itself actually works on the bootloader. Perhaps the tool uses a feature of the MSM8996 we aren't aware of. It's worth looking into.
Click to expand...
Click to collapse
Bootloaders for other phones will not work on our phone, as of course it'll fail the Secure Boot check.
Bootloader unlock tools for other phones will not work because they're relying on manufacturer specific unlock code that's compiled into aboot (LK). Qualcomm's CAF version of LK doesn't include any unlock code checking functionality, so most manufacturers add that themselves.
LG, in this case, is not even including the code for a bootloader unlock in the US model bootloaders. If you're familiar with C, essentially LG has `#ifdef`'d the entire section of code out (including fastboot).
The V20 bootloader does indeed contain oem-unlock code, but Secure Boot will prevent you from flashing the V20's bootloader (even if it magically was code-compatible with the G5) because Secure Boot checks the hardware ID that's burned into qFuses.
This means, to add a bootloader unlock, you'd have to modify aboot, which can't be done because of Secure Boot. Secure Boot components can't be modified because of RSA, and the RSA verification can't be altered because the keys are burned into qFuses.
thecubed said:
Hello again!
Regarding your points:
JTAG is disabled on most production devices, as in 100% inoperable. No amount of soldering will enable it. I'm sure there are some exceptions to the rule, but in this case I'm fairly confident in saying that the JTAG interface on the G5 is unusable.
...even if JTAG was enabled, the Qualcomm Secure Boot stack is designed to protect itself from the exact type of attack you're describing here. The component of TrustZone that is doing the verification of boot images is not running in anything that is JTAG-accessible, and to my understanding it's not even running in the main ARM core.
Re: hash collisions and neural nets... What you're describing sounds neat in theory, but in application (again, to my knowledge) won't work. I suggest you read up on how RSA works.
RSA is public/private key cryptography - in this case, the certificates contained on the phone are the public component, and LG/Qualcomm are the only ones with the private component. "Extracting the CA" will yield the public portion that is only useful for verifying signatures, not signing them.
The only way you'd be able to sign anything and have the phone trust it is to either a) replace the CA on the phone (not possible, it's burned into qFuses) or b) obtain the private component of the CA or any of it's subsidiaries (also burned into qFuses)
CA chains aren't encrypted, they're just a list of things that the device will accept a signature for. In our case it's Qualcomm as the Root CA, then LG as an intermediate (and possibly a few other intermediates to allow OTA updates to come from differing builders/engineering teams within LG). Again, extracting the 'hash' of a CA will do no good here, as there's no meaningful collisions that can be generated and still be a valid boot image. I'm not the best person to explain RSA in depth, so I'd really recommend doing some further research on it.
Bootloaders for other phones will not work on our phone, as of course it'll fail the Secure Boot check.
Bootloader unlock tools for other phones will not work because they're relying on manufacturer specific unlock code that's compiled into aboot (LK). Qualcomm's CAF version of LK doesn't include any unlock code checking functionality, so most manufacturers add that themselves.
LG, in this case, is not even including the code for a bootloader unlock in the US model bootloaders. If you're familiar with C, essentially LG has `#ifdef`'d the entire section of code out (including fastboot).
The V20 bootloader does indeed contain oem-unlock code, but Secure Boot will prevent you from flashing the V20's bootloader (even if it magically was code-compatible with the G5) because Secure Boot checks the hardware ID that's burned into qFuses.
This means, to add a bootloader unlock, you'd have to modify aboot, which can't be done because of Secure Boot. Secure Boot components can't be modified because of RSA, and the RSA verification can't be altered because the keys are burned into qFuses.
Click to expand...
Click to collapse
So in this case, what would be the next image in the stack that would allow any kind of modifications? Should I be looking at boot.img instead? Would there be a method of tricking the signed and secure boot chain into believing what it sees isn't executing as root?
had been looking through some old methods of root, like causing a boot error by zeroing laf or flashing over it, causing the bootloader to drop you into fastboot, booted securely from there you could call a kcal perameter of the stock kernel that allowed a sort of debugging mode with systemwide root. That exploit was in the G2 era, and how that device obtained root.
I've seen a method that causes Knox to lock up on some Samsung devices by overloading its memory addresses or repeatedly zeroing certain bits of RAM.
I'd really need to find out what method works. If you can't make any modification, maybe there's a workaround to make it THINK everything is legit beyond the boot chain.
aboot decription
Ok I have been working on an lg g5 vs987 myself and I got to the recoding the aboot part and was totally lost its all encrypted and I have no idea where to start to even see what the code is really saying I am new to this website and I am also new to coding on android if you can guide me in the right direction I might be able to help. I have always dreamed of being a part of a development like this and now I might have a shot. Thank you so much for your work and I hope to hear from you soon!
alphawolves said:
Ok I have been working on an lg g5 vs987 myself and I got to the recoding the aboot part and was totally lost its all encrypted and I have no idea where to start to even see what the code is really saying I am new to this website and I am also new to coding on android if you can guide me in the right direction I might be able to help. I have always dreamed of being a part of a development like this and now I might have a shot. Thank you so much for your work and I hope to hear from you soon!
Click to expand...
Click to collapse
Dissembling and recoding aboot wont work no matter even if it is not encrypted..
It is already mentioned above by @thecubed ..
The secure boot will always verify the signature and dissassembly will generate no signature.
We need to find the private keys used for generating the public hash.. but that is not possible unless leaked from lg which is also very unlikely..
What a hacker can do is find a bug/vulnerability in aboot that can bypass secureboot..or a hardware loophole..
Plus there is a trustzone that itself secures the secureboot process.. so we have to find ways to exploit the bootchain so that we can somehow make the bootloader load unsigned ramdisks/recovery and such..
experienced people could do it.. but i guess there has been a lot of fuss between devs and wannabees..
Also if we can get debug build of aboot/ramdisk we can flash them to get unlock or at the very least root..
I am not expert on this but that how its simply put
A brave member sent me a very useful PDF specification on the TSF. The TSF is the official name for the portion of the integrated circuitry that controls the storage of the secure boot chain. The hardware routines are there to allow root to happen, but as stated before by @thecubed, LG commented out the entire section of a boot at compile time that allows anything to occur. Now the approach is to disassemble HOW the code that LG commented out works in the international variant that has an OEM unlock. Hardware routines exist that place the TSF into non-commercial mode, disabling functionality of certain enterprise software and deauth-ing the root CA in qfuse, allowing the user to flash their own signing certificates to the TSF (TrustZone) when a request to switch off CC mode is sent. There are all kinds of virtual memory protections, ACE protections, malicious code protections, and other things that the TSF handles. Trying any kind of unauthorised write to protected areas of memory results in blow of qfuse write fuse. It's actually a physical microscopic fuse that when pushed a specific voltage pops at a microscopic level kind of like a big fuse blowing only at a very tiny level. At this point write access anywhere is gone. This happens at the same time a full wipe of the system happens. That is why they say once qfuse blows your phone becomes a very expensive cup holder. Because after the qfuse blows there is no way of software recovery.
The only way to be able to disable commercial (CC mode) and be allowed to do anything to put your own boot chain in is to place the device in debug mode. The international varient contains code how to accomplish this, our devices don't. You would need to compile an app that runs in normal mode, causes a flag to be set that places the device into debug mode, then reboot. While in debug boot, you should be able to execute a CC unlock manually. The PDF I got says it's very specifically timed when this can happen, what parts of boot the TSF allows it to happen, and a rough explanation if what disabling CC mode means. The only way of getting root is to use the TSF-approved method but all this code is removed. The TSF does not stop you from executing code if booted into factory debug mode. The new approach I propose is to find an exploit to get into userdebug, and manually write an unlock routine with disassembled information from the international varient., pushing it directly into execution memory while in userdebug, being absolutely sure to give the TSF what it asks for, when it asks for it, at the exact timing for it.
LupineDream said:
A brave member sent me a very useful PDF specification on the TSF. The TSF is the official name for the portion of the integrated circuitry that controls the storage of the secure boot chain. The hardware routines are there to allow root to happen, but as stated before by @thecubed, LG commented out the entire section of a boot at compile time that allows anything to occur. Now the approach is to disassemble HOW the code that LG commented out works in the international variant that has an OEM unlock. Hardware routines exist that place the TSF into non-commercial mode, disabling functionality of certain enterprise software and deauth-ing the root CA in qfuse, allowing the user to flash their own signing certificates to the TSF (TrustZone) when a request to switch off CC mode is sent. There are all kinds of virtual memory protections, ACE protections, malicious code protections, and other things that the TSF handles. Trying any kind of unauthorised write to protected areas of memory results in blow of qfuse write fuse. It's actually a physical microscopic fuse that when pushed a specific voltage pops at a microscopic level kind of like a big fuse blowing only at a very tiny level. At this point write access anywhere is gone. This happens at the same time a full wipe of the system happens. That is why they say once qfuse blows your phone becomes a very expensive cup holder. Because after the qfuse blows there is no way of software recovery.
The only way to be able to disable commercial (CC mode) and be allowed to do anything to put your own boot chain in is to place the device in debug mode. The international varient contains code how to accomplish this, our devices don't. You would need to compile an app that runs in normal mode, causes a flag to be set that places the device into debug mode, then reboot. While in debug boot, you should be able to execute a CC unlock manually. The PDF I got says it's very specifically timed when this can happen, what parts of boot the TSF allows it to happen, and a rough explanation if what disabling CC mode means. The only way of getting root is to use the TSF-approved method but all this code is removed. The TSF does not stop you from executing code if booted into factory debug mode. The new approach I propose is to find an exploit to get into userdebug, and manually write an unlock routine with disassembled information from the international varient., pushing it directly into execution memory while in userdebug, being absolutely sure to give the TSF what it asks for, when it asks for it, at the exact timing for it.
Click to expand...
Click to collapse
Thanks for that post @LupineDream ! I unfortunately doesn't understand most of the things you explained but perhaps I can save you a bit of time (your last post looks like you aren't aware of that exploit but thats maybe only me misundertanding) ; as far as I know the adb root method develloped by @HonestlyAnnoying include a userdebug kernel so (afaik) we already know an exploit to get into userdebug on marshmallow(dirty santa) and the fact that the users needs to run marshmallow shouldn't matter as (afaik) once the bootloader unlocked, the userdebug kernel is no longer needed and it is possible to change it.
Edit: just saw your post on the adb root thread, so I guess you are now aware of the exploit Sorry for the post, I just wanted to be sure you didn't missed it.
nalf3in said:
Thanks for that post @LupineDream ! I unfortunately doesn't understand most of the things you explained but perhaps I can save you a bit of time (your last post looks like you aren't aware of that exploit but thats maybe only me misundertanding) ; as far as I know the adb root method develloped by @HonestlyAnnoying include a userdebug kernel so (afaik) we already know an exploit to get into userdebug on marshmallow(dirty santa) and the fact that the users needs to run marshmallow shouldn't matter as (afaik) once the bootloader unlocked, the userdebug kernel is no longer needed and it is possible to change it.
Edit: just saw your post on the adb root thread, so I guess you are now aware of the exploit Sorry for the post, I just wanted to be sure you didn't missed the exploit.
Click to expand...
Click to collapse
Yes thank you for affirming that, but not to worry, I got it. LG has an sbl module called anti-rollback that prevents flashing older software. If we look at the boot chain:
Code:
recovery
| /------------------ laf (fastboot)
__________________|__|_________________________________________ laf (security fail screen)
/ / / /
pbl -> sbl > aboot > boot (kernel/ramdisk) > system
^ ^
| |
| \-- IS_UNLOCKED and sig_Check()
Anti-rollback
I beleive anti-rollback was updated to a new version that prevents this on Nugout. Correct me if I'm wrong. I've tried every LG hidden menu code I could find to see, but can't even seem to get the hidden menu working... And the reason they did this is because of the worldwide alerts about dirtycow, which affects not only Android, but the whole of Linux, so we need a nogout kernel. A marshmallow kernel with the new anti-rollback would theoretically end up in the red triangle of death.
We need someone that has an engineering model with a userdebug kernel. LG makes you apply. Their program is called "LG GATE", and they are very picky. I think that's what helped out the Sprint community. Someone got a hold of a developer / engineering model with a marshmallow kernel.
Well, I already heard of that strange issue with the hidden menu and I always though it was a code 18 but after googling, it looks like it some carrier potentially disabled it.. Anyway, I can confirm you that the anti-rollback version is still 0 on my h831 running the latest nougat unless the hidden menu is "lying". (And most variant I know except sprint, which did triggered the counter with the update, stayed at their rollback version). I still encounter the same issues most people on nougat experienced with the adb root (wasn't able to get past reboot and needed to flash with uppercut a fresh 7.0 ) so I guess the issue is somewhere else.
Also, if you need any information that is on the hidden menu, feel free to ask me
http://m.imgur.com/gallery/fTwgSUF
Very exciting, gl
finally they are working on it
What about this line in the aboot.bin
(from canadian aboot)
LOAD:0F960100 aBootVerificati DCB " : boot verification skip ",0xA,0
Is there any way to disable boot verification? no need to go with full bootloader unlock.. if it's possible to just disable boot verification, right?
After a bit of playing around the system have found quite a few easter eggs/secret codes inside system APKs of the fire tablets, these code were discovered on Amazon Fire 7 7th gen, but should work on other tablets as well.
Disclaimer: I am not responsible for any bricks, it is up to you to run these commands, but keep in mind that running some of the commands might require you to perform hard reset afterwards.
commands discovered under com.amazon.kor.demo/smali/com/amazon/kor/demo/receiver/SearchCommandBroadcastReceiver.smali:
;demo - demo menu
;enter_demo - alternative demo menu
;exit_demo - alternative demo menu
In most cases running and completing above commands will result in an error, hard reset is required to resolve issues, but there is some success reported by DragonFire1024 when wi-fi is enabled on the device.
commands discovered under
com.amazon.kindle.unifiedSearch/smali/com/amazon/kindle/unifiedSearch/easteregg/EasterEggManager.smali:
;dx - Middleware Debugging tool (com.amazon.dcp).
;usdisablegamma - works only in Devo?
;usenablegamma - works only in Devo?
;oobe - factory reset, similar to shpm.
;usdisableperf - works only in Devo?
;usenableperf - works only in Devo?
;sclnm - ??
;shpm - enter shipmode.
commands discovered under
ReadyNowCore-release/smali/com/amazon/readynowcore/ReadyNowExternalReceiver.smali:
;rn - ReadyNow logging to logcat
Frequently Asked Questions (FAQ):
Q1: How to launch these commands?
A1: Enter them into FireLauncher search field, if it did not work on the opened window select my stuff and then try to search again.
Q2: What is Devo mode?
A2: Amazon devices seem to have three firmware configurations Devo, Prod and PreProd which have different update branches (which seems to work in a similar way as update rings in Windows ecosystem) as well as different security configurations.
Click to expand...
Click to collapse
The finding itself does not lead into anything like root or similar for non rootable amazon devices. However, after spending quite a lot of time looking through the applications I came to an idea that some of these easter egg codes could be modified on rooted devices (and adb pushed) and might lead to something such as bootloader unlock (unlikely though) or maybe discovery of a vulnerability for currently non rootable devices which would allow to root them.
Application of particular interest for such would be com.amazon.device.settings or RemoteSettingsAndroid, which according to its source code should allow switching between different device configurations (Devo, Prod, PreProd) and even might be used to allow firmware downgrades.
But as of the time of this writing it was not possible to kickstart some of the internal Amazon activities due to permission related issues and com.amazon.dcp or Amazon Middleware Debugging Tool was one of them (which requires display ota status and display debug UI permissions), but with the use of easter eggs it was possible to start com.amazon.dcp, so it should possible to start apps such as com.amazon.device.settings and maybe even kick the device into Devo mode, which might allow to do something more.
But as I do not have rootable amazon device maybe someone else would be willing to test the idea.
gabosius said:
The finding itself does not lead into anything like root or similar for non rootable amazon devices. However, after spending quite a lot of time looking through the applications I came to an idea that some of these easter egg codes could be modified on rooted devices (and adb pushed) and might lead to something such as bootloader unlock (unlikely though) or maybe discovery of a vulnerability for currently non rootable devices which would allow to root them.
Application of particular interest for such would be com.amazon.device.settings or RemoteSettingsAndroid, which according to its source code should allow switching between different device configurations (Devo, Prod, PreProd) and even might be used to allow firmware downgrades.
But as of the time of this writing it was not possible to kickstart some of the internal Amazon activities due to permission related issues and com.amazon.dcp or Amazon Middleware Debugging Tool was one of them (which requires display ota status and display debug UI permissions), but with the use of easter eggs it was possible to start com.amazon.dcp, so it should possible to start apps such as com.amazon.device.settings and maybe even kick the device into Devo mode, which might allow to do something more.
But as I do not have rootable amazon device maybe someone else would be willing to test the idea.
Click to expand...
Click to collapse
I don't think an apk can unlock the bootloader. It can't.
savvytechwinner said:
I don't think an apk can unlock the bootloader. It can't.
Click to expand...
Click to collapse
Depends on the platform, as you can see an example of such APK here.
Of course the example I have given is for completely different device and platform, but in concept it is possible and has been done before.
I`m sorry if I created new thread that already exist .
I think, there is the way to unlock bootloader on this device. laginimaineb posted awesome information on blogger a couple years ago and I`m wondering ,if can somebody apply this on xt1528.
I don`t know how to insert link on that post. Try to google first sentence .It is better to read original post.
And i am sorry for my English
Unlocking the Motorola Bootloader
In this blog post, we'll explore the Motorola bootloader on recent Qualcomm Snapdragon devices. Our goal will be to unlock the bootloader of a Moto X (2nd Gen), by using the TrustZone kernel code execution vulnerability from the previous blog posts. Note that although we will show the complete unlocking process for this specific device, it should be general enough to work at-least for most modern Motorola devices.
Why Motorola?
After reporting the previous TrustZone kernel privilege escalation to Qualcomm, I was gifted a shiny new Moto X. However... There was one little snag - they accidentally sent me a locked device. This was a completely honest mistake, and they did offer many times to unlock the device - but where's the fun in that? So without further ado, let's dive into the Motorola bootloader and see what it takes to unlock it.
Setting the Stage
Before we start our research, let's begin with a short introduction to the boot process - starting right at the point at which a device is powered on.
First - the PBL (Primary Boot Loader), also known as the "BootROM" is executed. Since the PBL is stored within an internal mask ROM, it cannot be modified or provisioned, and is therefore an intrinsic part of the device. As such, it only serves the very minimal purpose of allowing the device to boot, and authenticating and loading the next part of the boot-chain.
Then, two secondary bootloaders are loaded, SBL1 (Secondary Boot Loader), followed by SBL2. Their main responsibility is to boot up the various processors on the SoC and configure them so that they're ready to operate.
Next up in the boot-chain, the third and last secondary bootloader, SBL3, is loaded. This bootloader, among other tasks, verifies and loads the Android Bootloader - "aboot".
Now this is where we get to the part relevant for our unlocking endeavours; the Android Bootloader is the piece of software whose responsibility is, as its name suggests, to load the Android operating system and trigger its execution.
This is also the piece of boot-chain that OEMs tend to customize the most, mainly because while the first part of the boot-chain is written by Qualcomm and deals with SoC specifics, the Android bootloader can be used to configure the way the Android OS is loaded.
Among the features controlled by aboot is the "bootloader lock" - in other words, aboot is the first piece of the boot-chain which can opt to break the chain of trust (in which each bootloader stage verifies the next) and load an unsigned operating system.
For devices with an unlockable bootloader, the unlocking process is usually performed by rebooting the device into a special ("bootloader") mode, and issuing the relevant fastboot command. However, as we will later see, this interface is also handled by aboot. This means that not only does aboot query the lock status during the regular boot process, but it also houses the code responsible for the actual unlocking process.
As you may know, different OEMs take different stances on this issue. In short, "Nexus" devices always ship with an "unlockable" bootloader. In contrast, Samsung doesn't allow bootloader unlocking for most of its devices. Other OEMs, Motorola included, ship their devices locked, but certain devices deemed "eligible" can be unlocked using a "magic" (signed) token supplied by the OEM (although this also voids the warranty for most devices).
So... it's all very complex, but also irrelevant. That's because we're going to do the whole process manually - if aboot can control the lock status of the device, this means we should probably be able to do so as well, given an elevated enough set of privileges.
Getting Started
Now that we have a general grasp of the components involved and of our goal, the next stage is to analyse the actual aboot code.
Since the binaries for all stages of the boot-chain are contained within the factory firmware image, that would naturally be a good place to start. There are several download links available - here are a few. In case you would like to follow along with me, I'm going to refer to the symbols in the version "ATT_XT1097_4.4.4_KXE21.187-38".
After downloading the firmware image, we are faced with our first challenge - the images are all packed using a proprietary format, in a file called "motoboot.img". However, opening the file up in a hex-editor reveals it has a pretty simple format we can deduce:
As you can see above, the sought-after aboot image is stored within this file, along with the TrustZone image, and various stages of the boot-chain. Good.
After analysing the structure above, I've written a python script which can be used to unpack all the images from a given Motorola bootloader image, you can find it here.
Much ado aboot nothing
We'll start by inspecting the aboot image. Discouragingly, it is 1MB large, so going over it all would be a waste of time. However, as we've mentioned above, when booting the device into the special "bootloader" mode, the actual interaction with the user is provided by aboot itself. This means that we can start by searching for the strings which are displayed when the unlocking process is performed - and continue from there.
A short search for the "unlock..." string which is printed after starting the unlock process brings us straight to the function (@0xFF4B874) which deals with the unlocking logic:
That was pretty fast!
As you can see, after printing the string to the console, three functions are called consecutively, and if all three of them succeed, the device is considered unlocked.
Going over the last two functions reveals their purpose is to erase the user's data partitions (which is always performed after the bootloader is unlocked, in order to protect the device owner's privacy). In any case, this means they are irrelevant to the unlocking process itself and are simply side-effects.
This leaves us with a single function which, when called, should unlock the bootloader.
So does this mean we're done already? Can we just call this function and unlock the device?
Actually, not yet. Although the TrustZone exploit allows us to achieve code-execution within the TrustZone kernel, this is only done after the operating system is loaded, at which point, executing aboot code directly could cause all sorts of side-effects (since, for example, the code might assume that there is no operating system/the MMU could be disabled, etc.). And even if it were that simple, perhaps there is something interesting to be learned by fully understanding the locking mechanism itself.
Regardless, if we can understand the logic behind the code, we can simply emulate it ourselves, and perform the meaningful parts of it from our TrustZone exploit. Analysing the unlocking function reveals a surprisingly simple high-level logic:
Unfortunately, these two functions wreak havoc within IDA (which fails to even display a meaningful call-graph for them).
Manually analysing the functions reveals that they are in fact quite similar to one another. They both don't contain much logic of their own, but instead they prepare arguments and call the following function:
This is a little surprising - instead of handling the logic itself, this function issues an an SMC (Supervisor Mode Call) in order to invoke a TrustZone system-call from aboot itself! (as we've discussed in previous blog posts). In this case, both functions issue an SMC with the request code 0x3F801. Here is the relevant pseudo-code for each of them:
At this point we've gleaned all the information we need from aboot, now lets switch over to the TrustZone kernel to find out what this SMC call does.
Enter Stage Left, TrustZone
Now that we've established that an SMC call is made with the command-code 0x3F801, we are left with the task of finding this command within the TrustZone kernel.
Going over the TrustZone kernel system calls, we arrive at the following entry:
This is a huge function which performs widely different tasks based on the first argument supplied, which we'll call the "command code" from now on.
It should be noted an additional flag is passed into this system-call indicating whether or not it was called from a "secure" context. This means that if we try invoking it from the Android OS itself, an argument will be passed marking our invocation is insecure, and will prevent us from performing these operations ourselves. Of course, we can get around this limitation using our TrustZone exploit, but we'll go into that later!
As we've seen above, this SMC call is triggered twice, using the command codes #1 and #2 (I've annotated the functions below to improve readability):
In short, we can see both commands are used to read and write (respectively) values from something called a "QFuse".
QFuses
Much like a real-life fuse, a QFuse is a hardware component which facilitates a "one-time-writeable" piece of memory. Each fuse represents a single bit; fuses which are in-tact represent the bit zero, and "blown" fuses represent the bit one. However, as the name suggests, this operation is irreversible - once a fuse is blown it cannot be "un-blown".
Each SoC has it's own arrangement of QFuses, each with it's own unique purpose. Some fuses are already blown when a device is shipped, but others can be blown depending on the user's actions in order to change the way a specific device feature operates.
Unfortunately, the information regarding the role of each fuse is not public, and we are therefore left with the single option of reversing the various software components to try and deduce their role.
In our case, we call a specific function in order to decide which fuse we are going to read and write:
Since we call this function with the second syscall argument, in our case "4", this means we will operate on the fuse at address 0xFC4B86E8.
Putting it all together
Now that we understand the aboot and the TrustZone logic, we can put them together to get the full flow:
First, aboot calls SMC 0x3F801 with command-code #1
This causes the TrustZone kernel to read and return the QFuse at address 0xFC4B86E8
Then, iff the first bit in the QFuse is disabled, aboot calls SMC 0x3F801 once more, this time with command-code #2
This causes the TrustZone kernel to write the value 1 to the LSB of the aforementioned QFuse.
Turns out to be very simple after all - we just need to set a single bit in a single QFuse, and the bootloader will be considered unlocked.
But how can QFuses be written?
DIY QFuses
Luckily the TrustZone kernel exposes a pair of system-call which allow us to read and write a restricted set of QFuses - tzbsp_qfprom_read_row and tzbsp_qfprom_write_row, respectively. If we can lift those restrictions using our TrustZone exploit, we should be able to use this API in order to blow the wanted QFuse.
Lets take a look at these restrictions within the tzbsp_qfprom_write_row system-call:
So first, there's a DWORD at 0xFE823D5C which must be set to zero in order for the function's logic to continue. Normally this flag is in fact set to one, thus preventing the usage of the QFuse calls, but we can easily enough overwrite the flag using the TrustZone exploit.
Then, there's an additional function called, which is used to make sure that the ranges of fuses being written are "allowed":
As we can see, this function goes over a static list of pairs, each denoting the start and end address of the allowed QFuses. This means that in order to pass this check, we can overwrite this static list to include all QFuses (setting the start address to zero and the end address to the maximal QFuse relative address - 0xFFFF).
Trying it out
Now that we have everything figured out, it's time to try it out ourselves! I've written some code which does the following:
Achieves code-execution within TrustZone
Disables the QFuse protections
Writes the LSB QFuse in QFuse 0xFC4B86E8
In this blog post we went over the flow controlled by a single QFuse. But, as you can probably guess, there are many different interesting QFuses out there, waiting to be discovered.
On the one hand, blowing a fuse is really "dangerous" - making one small mistake can permanently brick you device. On the other hand, some fuses might facilitate a special set of features that we would like to enable.
One such example is the "engineering" fuse; this fuse is mentioned throughout the aboot image, and can be used to enable an amazing range of capabilities such as skipping secure boot, loading unsigned peripheral images, having an unsigned GPT, and much more.
However, this fuse is blown in all consumer devices, marking the device as a "non-engineer" device, and disabling these features. But who knows, maybe there are other fuses which are just as important, which have not yet been discovered...
Spent the last day or so looking at this. The surnia bootloader attempts to call the SMC function 0x3000A0A. That's as far as I got without the symbols for the trustzone kernel.
programmargorp said:
Spent the last day or so looking at this. The surnia bootloader attempts to call the SMC function 0x3000A0A. That's as far as I got without the symbols for the trustzone kernel.
Click to expand...
Click to collapse
I don't know if it will helps, but there in comment section of "Full TrustZone exploit for MSM8974" post , one user mentioned about tz_service of msm8916
also on MSM 8916 there is a function called
tz_service <0x3F802, aTzbsp_oem_svc, 0xF, 0x86500ECB, 1> ; "tzbsp_oem_svc"
which doesnt check the ranges and write 3 dwords to an arbitrary address
int __fastcall tzbsp_oem_svc(int a1, int a2)
{
int v2; // [email protected]
v2 = a2;
*(_DWORD *)a2 = 0xC;
*(_DWORD *)(a2 + 4) = get_tzbsp_params(); =>returns 0x0F
*(_DWORD *)(v2 + 8) = sub_865164FE(); =>returns 0x0
return 0;
}
this can be used to neutralise range check.
3max3 said:
I don't know if it will help, but there in comment section of "Full TrustZone exploit for MSM8974" post , one user mentioned about tz_service of msm8916
also on MSM 8916 there is a function called
tz_service <0x3F802, aTzbsp_oem_svc, 0xF, 0x86500ECB, 1> ; "tzbsp_oem_svc"
which doesnt check the ranges and write 3 dwords to an arbitrary address
int __fastcall tzbsp_oem_svc(int a1, int a2)
{
int v2; // [email protected]
v2 = a2;
*(_DWORD *)a2 = 0xC;
*(_DWORD *)(a2 + 4) = get_tzbsp_params(); =>returns 0x0F
*(_DWORD *)(v2 + 8) = sub_865164FE(); =>returns 0x0
return 0;
}
this can be used to neutralise range check.
Click to expand...
Click to collapse
Yes, that gives you a arbritary write gadget but doesn't bring you any closer to blowing the required qfuse.
You may or may not be able to use the other trustzone exploit (CVE-2016-2431) to trigger trustzone call 0x3000A0A with the provided parameters to force an unlock.
Good exploit, but too bad it was not converted into a more general tool ...
There is low single digit number of people who can use the instructions, and unlock other models.
bibikalka said:
Good exploit, but too bad it was not converted into a more general tool ...
There is low single digit number of people who can use the instructions, and unlock other models.
Click to expand...
Click to collapse
You`re absolutely right! Unfortunately , this device is not so popular and chances to practical use any of these exploits are close to zero.
But hope dies last.
P.S. : I really appreciate your attempt to use Dirty COW exploit on this device.
3max3 said:
You`re absolutely right! Unfortunately , this device is not so popular and chances to practical use any of these exploits are close to zero.
But hope dies last.
P.S. : I really appreciate your attempt to use Dirty COW exploit on this device.
Click to expand...
Click to collapse
Actually, I never posted this, but if your phone still has an older ROM where Dirty Cow works (5.0.2 or 5.1.1?), you should try Kingoroot as per these exact extractions:
https://forum.xda-developers.com/hd8-hd10/general/tut-fire-hd-10-7th-gen-2017-root-box-t3726443
This was the most stable temporary root I've seen on XT1528, since I was using XT1528 to debug my Fire HD how-to, and I was very pleased with how well the temporary root stuck around on XT1528, and it also survived soft reboots very well. So then you can do Titanium Backup and any other software that wants root to access /data, and other parts of the system. But of course, it cannot write into /system.
Then, there is a russian dude on the Internet selling Sunshine unlock for (1300 roubles ~$20) vs the usual $25. I'd guess Sunshine does the exact the same unlock, as that blog posted copy-pasted in post #1.
Update: here is the 1300 roubles Sunshine unlock - http://1droid.ru/?page_id=51
programmargorp said:
Spent the last day or so looking at this. The surnia bootloader attempts to call the SMC function 0x3000A0A. That's as far as I got without the symbols for the trustzone kernel.
Click to expand...
Click to collapse
The blog post seems to say that the issue was reported and fixed back in 2014. It's unlikely that XT1528 has this bug since it's a later device, and the Android versions for XT1528 are some flavor of Lollipop, not KitKat.
bibikalka said:
The blog post seems to say that the issue was reported and fixed back in 2014. It's unlikely that XT1528 has this bug since it's a later device, and the Android versions for XT1528 are some flavor of Lollipop, not KitKat.
Click to expand...
Click to collapse
AFAIK Widevine exploit and the QSEE exploit both weren't patched until late 2015/early 2016. If you have a firmware version previous to the last update, then it's very likely at least the Widevine exploit still exists.
In fact, the bootloader unlock exploit did not rely on either the Widevine OR QSEE exploits, but was completely a trustzone exploit.
programmargorp said:
AFAIK Widevine exploit and the QSEE exploit both weren't patched until late 2015/early 2016. If you have a firmware version previous to the last update, then it's very likely at least the Widevine exploit still exists.
In fact, the bootloader unlock exploit did not rely on either the Widevine OR QSEE exploits, but was completely a trustzone exploit.
Click to expand...
Click to collapse
I see what you mean:
https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html
If only we could get that Project Zero dude to start unlocking our phones, LOL
Btw, my ancient xt1028 with 4.4.4 is a great candidate for this original route : http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html
I plan to try to replicate exactly what the guy in the post was doing (IDA Pro package, his exact phone firmware version, etc), to understand if I am even able to follow his instructions first, and see the same output that he was getting. If I won't even get that far - no reason to proceed with any any other devices
Edit: btw, any suggestions what's the best package to compile his code? https://github.com/laginimaineb/Alohamora It's all provided as source files.
bibikalka said:
I see what you mean:
https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html
If only we could get that Project Zero dude to start unlocking our phones, LOL
Btw, my ancient xt1028 with 4.4.4 is a great candidate for this original route : http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html
I plan to try to replicate exactly what the guy in the post was doing (IDA Pro package, his exact phone firmware version, etc), to understand if I am even able to follow his instructions first, and see the same output that he was getting. If I won't even get that far - no reason to proceed with any any other devices
Edit: btw, any suggestions what's the best package to compile his code? https://github.com/laginimaineb/Alohamora It's all provided as source files.
Click to expand...
Click to collapse
FYI the base address and probably fuse values will be completely wrong. His code runs directly in Python.
programmargorp said:
FYI the base address and probably fuse values will be completely wrong. His code runs directly in Python.
Click to expand...
Click to collapse
Would that be Python on Android, I guess ? Something like QPython3?
There is a small piece that needs to be compiled, shellcode.S. It wants arm-eabi-gcc to work. Is there an Android version, or would I need to do it in Linux or Windows?
Well, I tried to open the same TZ as in the blog (for XT1095) in IDA, and for now cannot even find the relevant addresses which should be the same as in the blog (SECURE_BOOT_FUSE = 0xfC4B86E8).
Overall, there are about 20 things that need to be filled for a different model/TZ version:
https://github.com/laginimaineb/Alohamora/blob/master/symbols.py
Anyway, it looks like people who could re-trace the unlocking steps fully don't hang out on this thread
programmargorp said:
Spent the last day or so looking at this. The surnia bootloader attempts to call the SMC function 0x3000A0A. That's as far as I got without the symbols for the trustzone kernel.
Click to expand...
Click to collapse
I've spent some time staring at IDA here - with me being a total IDA novice. I gotta say, @laginimaineb instructions on the blog are incomplete, and have quite a few gaps.
I could locate the fuse address for XT1098 (just to repeat his steps), and then for XT1028 that I have. Overall, I decompiled the whole TZ into a big *.c file, and then text searched for similar strings as in the blog. His variable/function names were cleaned up, only operands look the same.
But the challenge is that his exploit for bootloader unlock seems to rely on the kernel module being compiled and loaded (his "/data/local/tmp/fuzz_zone" utility), which seems to imply having root access at the very least. @beaups says exactly the same here : link
Also, I did not pursue searching for the memory addresses that enable fuse writing, since that code seems to sit in aboot which I was not able to decompile yet due to its non-standard format (TZ is a standard ELF). The blog never talks how he loaded aboot into IDA, and addressed this non-ELF format.
Anyway, now I don't understand how he unlocked bootloader in XT1098, he never mentions that he had root access, while his code is using the fuzz_zone program, which relies on the kernel module to talk to TZ via SCMs. It just seems a bit circular.
Then @laginimaineb posted some later exploits which could escalate from a normal user access all the way to SCMs and TZ, but the later exploits never loop back to the bootloader unlock. The code he uploaded is very research-y, inconsistent, and tough to take forward.
Technically, one could be unlocking a bunch of MOTOs and other phones just like peanuts, with a bit of skill/time. How come nobody bothered to collect misc bounties, especially back in 2016? No skill? Or the blog instructions were not so good after all?
bibikalka said:
I've spent some time staring at IDA here - with me being a total IDA novice. I gotta say, @laginimaineb instructions on the blog are incomplete, and have quite a few gaps.
I could locate the fuse address for XT1098 (just to repeat his steps), and then for XT1028 that I have. Overall, I decompiled the whole TZ into a big *.c file, and then text searched for similar strings as in the blog. His variable/function names were cleaned up, only operands look the same.
But the challenge is that his exploit for bootloader unlock seems to rely on the kernel module being compiled and loaded (his "/data/local/tmp/fuzz_zone" utility), which seems to imply having root access at the very least. @beaups says exactly the same here : link
Also, I did not pursue searching for the memory addresses that enable fuse writing, since that code seems to sit in aboot which I was not able to decompile yet due to its non-standard format (TZ is a standard ELF). The blog never talks how he loaded aboot into IDA, and addressed this non-ELF format.
Anyway, now I don't understand how he unlocked bootloader in XT1098, he never mentions that he had root access, while his code is using the fuzz_zone program, which relies on the kernel module to talk to TZ via SCMs. It just seems a bit circular.
Then @laginimaineb posted some later exploits which could escalate from a normal user access all the way to SCMs and TZ, but the later exploits never loop back to the bootloader unlock. The code he uploaded is very research-y, inconsistent, and tough to take forward.
Technically, one could be unlocking a bunch of MOTOs and other phones just like peanuts, with a bit of skill/time. How come nobody bothered to collect misc bounties, especially back in 2016? No skill? Or the blog instructions were not so good after all?
Click to expand...
Click to collapse
That answer is easy. The bugs you've seen publicly disclosed are long patched. In fact the E2 (and E for that matter) were never vulnerable.
beaups said:
That answer is easy. The bugs you've seen publicly disclosed are long patched. In fact the E2 (and E for that matter) were never vulnerable.
Click to expand...
Click to collapse
How about an ancient XT1028 with 4.4.4 ? It's ROM dates to about mid-2014.
bibikalka said:
How about an ancient XT1028 with 4.4.4 ? It's ROM dates to about mid-2014.
Click to expand...
Click to collapse
No publicly disclosed tz bugs impacted that device past 4.4.3
bibikalka said:
I've spent some time staring at IDA here - with me being a total IDA novice. I gotta say, @laginimaineb instructions on the blog are incomplete, and have quite a few gaps.
I could locate the fuse address for XT1098 (just to repeat his steps), and then for XT1028 that I have. Overall, I decompiled the whole TZ into a big *.c file, and then text searched for similar strings as in the blog. His variable/function names were cleaned up, only operands look the same.
But the challenge is that his exploit for bootloader unlock seems to rely on the kernel module being compiled and loaded (his "/data/local/tmp/fuzz_zone" utility), which seems to imply having root access at the very least. @beaups says exactly the same here : link
Also, I did not pursue searching for the memory addresses that enable fuse writing, since that code seems to sit in aboot which I was not able to decompile yet due to its non-standard format (TZ is a standard ELF). The blog never talks how he loaded aboot into IDA, and addressed this non-ELF format.
Anyway, now I don't understand how he unlocked bootloader in XT1098, he never mentions that he had root access, while his code is using the fuzz_zone program, which relies on the kernel module to talk to TZ via SCMs. It just seems a bit circular.
Then @laginimaineb posted some later exploits which could escalate from a normal user access all the way to SCMs and TZ, but the later exploits never loop back to the bootloader unlock. The code he uploaded is very research-y, inconsistent, and tough to take forward.
Technically, one could be unlocking a bunch of MOTOs and other phones just like peanuts, with a bit of skill/time. How come nobody bothered to collect misc bounties, especially back in 2016? No skill? Or the blog instructions were not so good after all?
Click to expand...
Click to collapse
The aboot image should be a standard ELF image.
Getting root on the xt1528 is possible (without system rw) with initrd root.
beaups said:
No publicly disclosed tz bugs impacted that device past 4.4.3
Click to expand...
Click to collapse
Interesting. Not even the Widevine QSEE issue? How can it be? Or is Widevine too difficult to exploit?
programmargorp said:
The aboot image should be a standard ELF image.
Getting root on the xt1528 is possible (without system rw) with initrd root.
Click to expand...
Click to collapse
Yes, root is very easy. But it's getting further, to bootloader unlock that is the big challenge. Can you double check your "aboot", it does not look like ELF ...
bibikalka said:
Interesting. Not even the Widevine QSEE issue? How can it be? Or is Widevine too difficult to exploit?
Yes, root is very easy. But it's getting further, to bootloader unlock that is the big challenge. Can you double check your "aboot", it does not look like ELF ...
Click to expand...
Click to collapse
Correct, the device does not have that widevine vulnerability.