Related
Hi,
I think we should start hacking the Bootloader now or should list all things we have to get rid of:
- Bootloader Signature Check
- maybe efuses!?
Regards
Actually, that was my first idea too. If we could get it to run gPXE or such we would have it cracked.
I also tried accessing the device in Bootloader and in recovery mode, but on linux I did not get any device offered so I also could not access it via console or such.
I guess getting console access for the bootloader would be the most awesome step.
Hi,
realy good idea.
But people does for milestone too.
But now way :-(
Which not mean, we couldn´t give it a try.
Have a look at this page:
https://www.droid-developers.org/wiki/Main_Page
There are the ways and helps, how moto encrypt the bootloader.
Its an RSA Key 1024.
To crack it, wouldn´t be easy.
I hope you are realy good hacker and have realy good knowligde about this kinds.
If i could help you, i will do it.
would realy nice if we could combine toghether over msn or icq to help each other.
A NEW HOPE ... )
Hi,
well thats pretty good
I will read me trough the Wiki
I guess we have to rent a Cloud e.g. at Amazon (EC2) and then we could use the Power of it to encrypt the Bootloader.
OK thats spoken easier as it is but would be one thing we could do.
Regards
the|gamer said:
I guess we have to rent a Cloud e.g. at Amazon (EC2) and then we could use the Power of it to encrypt the Bootloader.
OK thats spoken easier as it is but would be one thing we could do.
Click to expand...
Click to collapse
Sounds nice, but I guess with a 1024bit Key this would be a bit expensive.
What I don't understand is that for encryption is some public and some private key, right? So to check the signed bootloader the private key must be stored somewhere on the phone. That just sounds too easy...
Hi,
there ist also a Cloud Project called "MilestoneRSA" based on the Boinc Network, everyone can download the Client and can help decrypting the RSA Key...
So if the Keys are the same that would help us.
Regards
It's nice to have ideas and try new things, but sadly that BOINC project is not being realistic. I'll quote a comment from Reddit:
Assuming you can try 10^9 keys per second one one CPU (more or less one per two CPU cycles), and assuming you have 10^80 CPUs (one per every atom in universe), you'd need 10^55 years to have 1% chance of breaking that key by brute force. And our universe exists for ~1.5*10^10 years.
The only brute force viable here is breaking into Motorola by brute force and stealing the key.
Click to expand...
Click to collapse
i've a boinc client installed on my box. but i don't find the milestone-project.
let me know if you need my box for breaking the key.
regards
Hi,
I am sure that the Bootloader will be cracked, its just a matter of time
Regards
You realy think positiv
I guess we wont.
But we will find a nother chance.
What about a new bootloader?
Cant we make us a bootloader?
The bootloader is signd itself.
But what about make it public and chance some kinds in the firmware?
Cant we rewrite it?
What is the kind of hardware how check the bootloader?
Think about it
Hi,
I did not looked at the problem from that side
Thats a really good Idea, but writing a new Bootloader from scratch will be as difficult as cracking the existing.
Regards
Hi, i dont know.
But think,
we have got the bootloader image!
Why we can´t chance settings and flash it back?
where is the problem to flash this firmware?
There must be a small pice of hardware how doesn´t allow us.
Pleas could make someone a dump from bootloader?
But i guess, a lot of people think about this!
This is same as decrypt. :-(
No chance i believe.
can't just rewrite the bootloader, propably most everything in this device has its own signature, and they propably check each other.
so, besides jailbreaking INTO motorola headquarter and steal the key, it would be easier to write a whole new software for that thing an make your own signatures open source.
best chance is, IMO, write a petition to moto and kindly ask for it, or find some moto dev an either hijack or bribe him ^^
Check https://www.droid-developers.org/wiki/Booting_chain for the Boot Chain. It's for the milestone, but I guess defy won't be much different.
Replacing the Bootstrap with gPXE and the Bootloader with GRUB shouldn't be too hard, but I guess the real problem are stage 1 bootrom which is on chip and flashing the whole thing which likely will also check the signature.
Who can do that?
I can´t.
My knowledge is not so deep.
Please could someone try it?
But what about performance?
Better?Worser as orginal boot?
Same like 2ndboot?
Slower?
Hi,
I think we should go and search for security vulnerabilities in the Bootloader, when I get my Defy I will try some things.
Regards
For botloader decryption, a good start point is the page on wikipedia about the RSA encryption: http://en.wikipedia.org/wiki/RSA
martinml said:
It's nice to have ideas and try new things, but sadly that BOINC project is not being realistic. I'll quote a comment from Reddit:
Assuming you can try 10^9 keys per second one one CPU (more or less one per two CPU cycles), and assuming you have 10^80 CPUs (one per every atom in universe), you'd need 10^55 years to have 1% chance of breaking that key by brute force. And our universe exists for ~1.5*10^10 years.
Click to expand...
Click to collapse
Are you sure the number you are quoting is right? Maybe it is some really dumb brute force method, of trying one key at a time. But knowing the algorithm, you can at least launch an brute-force prime factorization atack.
I don't understand much on cryptography, but over the internet people comment that in under a decade the 1024bit RSA algorithm should not be secure anymore. Acording to this xkcd thread, an bruteforce aproach to crack an 1024bit RSA key is "only" about 13 millions of current CPU-years. And this paper from 2003 sugests that one could break an 1024bit key in one year, with some 10 millions worth of custom hardware on 130nm (based on many assumptions). Today it would be less, but still prohibitively expensive.
An quicker way would be finding some weakness in the RSA algorithm, that decreases by some orders of magnitude the theorical computational power needed. Or discovering an more efficient way to factor big primes. Many groups of mathematicians have being working for years trying to solve those problems, but no results yet. But we can aways hope that someone will find the answer next year.
What is on reach for defy hackers is finding some vulnerability in the implementation. Maybe torturing the botloader till it tells us the key. Maybe this method, can work. Or some vulnerability on the padding algorithm, or something else.
And then there are the political means... making a pettion to Motorola (already sugested here), making a laws outlawing all forms of DRM and threacherous computing, and forcing the companies to disclose their keys (one of the main proposals of many pirate parties...)... but both are hard to be heard and put foward.
I had a litte chat with the guys from droid-developers.org on IRC today and they said that 2ndboot still is the best option. To me this also sounds really nice, since you can boot any kernel with activated usb console debugging from your running android.
That way we could also watch the boot process and maybe find out more about the hardware without changing anything (except for runtime changes), so a simple reboot should always work.
Ok, but who can compile 2ndboot for us?
I had also a Chat with this guys, but they told me, that a problem with the gsm modem!
So we could´t use the defy anymore.
But we have a custom kernel inside.
Dont understand this.
But how can we do this?
Here is the link: http://developer.nvidia.com/tegra-2-technical-reference-manual
Isn't this what we need for better Tegra development? Especially for getting custom ICS kernals booted and writen.
This hasn't been out for more than a month.
Admins please move this thread if not in the correct forum.
jwuerz said:
Here is the link: http://developer.nvidia.com/tegra-2-technical-reference-manual
Isn't this what we need for better Tegra development? Especially for getting custom ICS kernals booted and writen.
This hasn't been out for more than a month.
Admins please move this thread if not in the correct forum.
Click to expand...
Click to collapse
That certainly LOOKS useful.
EDIT:
Did you notice that's just the table of contents? It's not the ACTUAL technical reference manual. You have to apply and be approved to gain access.
I've applied. It takes up to a month to gain access, BUT it looks like this could be rather useful. More people need to apply.
Sent from my LG-P999
This line makes the point quite moot:
"Internal functional units such as video and graphics hardware acceleration are controlled by NVIDIA provided software and not documented."
jeremyritzmann said:
I've applied. It takes up to a month to gain access, BUT it looks like this could be rather useful. More people need to apply.
Sent from my LG-P999
Click to expand...
Click to collapse
See, the problem is, even if you were given the technical specifications, are you capable of writing a driver from the ground up? If not, then you've simply wasted NVidia's time, and there's apparently a LOT of that going on right now.
See this post:
https://plus.google.com/115049428938715274412/posts/KycR8ZjeUiS
One of the things the OP mentions in the comments is that NVIDIA is being overwhelmed (his word was Confused) by the amount of community requests for all sorts of things, when half of them aren't even what's needed to get ICS working, or are being asked for by people not qualified to do anything with them.
Those who know what to do with technical reference manauls already know how to apply for them. Others applying for them is just going to make NVIDIA 1) get tired of dealing with the community and 2) Liable to make it HARDER to get information in the future because they're tired of people wasting their time.
I'm not getting on to you, just saying that we "in the community" need to have a little perspective on the matter. ICS source hasn't even been out for more than a couple of weeks. The OEMs, even if they're intent on releasing ICS for devices, haven't even had time *WITH* resources from NVIDIA, to get much done.
I disagree
I have to believe that the most effective way of getting the open access we want (ala Texas instruments and omap) is to make them aware of just how much demand there is for it.
In other words, show them just how much easier their life could be if they open sourced the drivers.
Everyone should call nvidia and tell them exactly what we want
If they have to deal with 20 calls a day re this issue, they might take it seriously.
It worked with htc and Sony re locked bootloaders.....
Call nvidia at 408 486 2000 and ask for developer relations.
Then just politely make them aware of our desire to have the drivers open sourced.
----Someone more versed with the technical issues -- is there anything else we should be asking for? ----
Sent from my Kindle Fire using xda premium
Well, seeing as I am quite versatile when it comes with coding period,I don't think there is any reason to think that I couldn't write one if I had the *time* to do write it. I do agree that as far as other folks requesting open sourcing the driver code, we do need to be more *focused* in our approach, instead of bogging down their CSR departments with useless demands.
On a personal note, I wouldn't be quite so flamish when referencing a simple comment from someone you don't know, about a comment that obviously isn't an in depth explanation of *why* I've requested the technical specs manual(which was done WELL before I commented on this thread). It makes you appear as if you're intent was to come off as bullish. It does an equal amount of damage to the community as less than dev savvy folks requesting/posting silly things.
/rant
lotherius said:
See, the problem is, even if you were given the technical specifications, are you capable of writing a driver from the ground up? If not, then you've simply wasted NVidia's time, and there's apparently a LOT of that going on right now.
See this post:
https://plus.google.com/115049428938715274412/posts/KycR8ZjeUiS
One of the things the OP mentions in the comments is that NVIDIA is being overwhelmed (his word was Confused) by the amount of community requests for all sorts of things, when half of them aren't even what's needed to get ICS working, or are being asked for by people not qualified to do anything with them.
Those who know what to do with technical reference manauls already know how to apply for them. Others applying for them is just going to make NVIDIA 1) get tired of dealing with the community and 2) Liable to make it HARDER to get information in the future because they're tired of people wasting their time.
I'm not getting on to you, just saying that we "in the community" need to have a little perspective on the matter. ICS source hasn't even been out for more than a couple of weeks. The OEMs, even if they're intent on releasing ICS for devices, haven't even had time *WITH* resources from NVIDIA, to get much done.
Click to expand...
Click to collapse
Sent from my LG-P999
Agreed, but there are plenty of dev's that could use an in depth look at the chipset specs.
GenghisKhan67 said:
This line makes the point quite moot:
"Internal functional units such as video and graphics hardware acceleration are controlled by NVIDIA provided software and not documented."
Click to expand...
Click to collapse
Sent from my LG-P999
hi, someone can download and upload the documentation for Tegra 2 and Tegra 3
As most of you would know, we have learned quite a bit about Defy bootloader during the last week.
We always thought that Motorola don't have a method to unlock production defys (defys shipped to end users). Well we have sufficient information now to prove that Motorola have a method, and that it converts production defys to engineering defys (Phones used by Motorola engineers to make ROMs and other stuff)
This is actually better than a simple unlocked boot-loader because eng defys have unlimited applications (because we have direct access to MOBO/CPU) like overclocking gpu, installing other OS like Ubuntu, Debian, WP7 etc. into NAND and a lot more.
So the problem here is that the tools required for ENG switch is only available to Motorola employees. Till now we have no further information on it. The tools are TI OMAP BOARD CONFIGURATION TOOL and a 16MB .bin file. Other significance of this method is that it might also unlock other phones with OMAP(3xxx/xxxx?) board. Also this method seems to be very stable.
So the good news is that this software is available for most Motorola repair centers. That means it would be easier to get a leak. Of course the highly paid Motorola engineers with 6digit paycheck wont leak it but we should consider low level repair executives (they already leak sbfs and RSDlite).
So my suggestion is we start a bounty thread in XDA to tempt them.
If you have a solution and if you are concerned about anonymity, please PM me.
PS : There are lots of bounty threads in xda.
Hi,
Setting a Bounty would be cool, but is legal ?
Cause it is not like "I pay you a lot of money if you steal this software for me"
the|gamer said:
Hi,
Setting a Bounty would be cool, but is legal ?
Cause it is not like "I pay you a lot of money if you steal this software for me"
Click to expand...
Click to collapse
hmm. It depend's on which country you are from.
I'm quite on it. Minimum/maximum fee could be set (like US$2 min and 20 bucks max, or anything like this). And someone with access to Motorola's employees (I think the user racca works on a Moto distributor, but I'm not sure of it, I think he mentioned it in some thread a few months ago) could rush and "bribe" them. If people could be a bit more clear about which kind of employees should have access to this software, I could try and convince one of them (you know, people here in Brazil aren't that much into honesty, but are a lot into money) about heading us a leak from TI's software. I'll have to take my phone to MOTOAssist soon ("menu" and "back" keys' backlights are weaker than normal), so I'd have at least an actual reason to talk to an assist technician (assuming they have access to the board configuration tool).
Yet, since I'm no hacker (yet, I'm planning on getting a Nook Color - which community here in XDA seems to provide all you need to start your own ROM - and starting messing around with it) nor coder (know only a little about C programming), I would not try and mess around with TI's software, but only upload it somewhere and give you guys a link for it.
K3n bH1mur4 said:
I'm quite on it. Minimum/maximum fee could be set (like US$2 min and 20 bucks max, or anything like this).
Click to expand...
Click to collapse
We could even promote it with ads. The best way would be to set up our on website, maybe in Brazil(or with some webhost who would like to host this) where you could bribe your way out and then promote it with ads. There is a remote chance that XDA might not approve a bounty thread here (of illegal implications), but we could publish the website here and all other major forums (chinese forums as well).
royale1223 said:
We could even promote it with ads. The best way would be to set up our on website, maybe in Brazil(or with some webhost who would like to host this) where you could bribe your way out and then promote it with ads. There is a remote chance that XDA might not approve a bounty thread here (of illegal implications), but we could publish the website here and all other major forums (chinese forums as well).
Click to expand...
Click to collapse
Dunno, since it's illegal, it may not be the best option to promote it. Obviously, it's still not immoral, but we all know that morality and law often do not converge, so it may be better to go rogue, talking in private with motoassist technicians and stuff like that, because, even if we're just fighting for our rights, we're still using non-legal ways, and risking to be sued for it.
I don't think promoting a website is illegal. What's illegal is hosting an illegal one.
Promoting a website who promises cash for employees of a corporation who leak internal software used by that corp. might be considered illegal in most places. Fortunately (or not, I'll explain why), we have jurisprudence to embase of: in september 1st, last year, a judge here in Brazil condemned Moto to update a customer's Dext/CLIQ to Android 2.1 (Moto did not provide this update here in Brazil, even though it did in many countries) without voiding the warranty.
I know it's just one case, in just one country, and updating an android version is way different than providing unlocked bootloaders (or the tools for users to do so). And, yes, I agree with placing a bounty at the tool. Yet, if we get caught, Moto can still argue that we had other ways to pursue our rights, and we should have used the justice system to do so, if we believed we were that right. Yet, they're a multimillion-worthy company (even bigger after being purchased by Google), and we're a bunch of broke users, at most devs making a couple thousand dollars, and would have little chance against their lawyers. Last, but not least, employers who help us may get caught and fired because of us, and I sincerely want nobody (ok, maybe a few of the highest executives) to get fired just for me to get an unlocked BL.
So, my point is: let's make this a stealth action. Get a reason for your phone to be taken to Motoassist (no intentional bricking, please! You must flash an official SBF before taking it there! - at least if your phone is still under warranty), get to talk with one of their technicians, and mention - indifferently - that some guys are giving alway big money for any Moto employee who leaks that TI OMAP software. Something like this: "hey, did you hear that crazy devs at this dev forum are paying the first moto technician to hand them some sort of software? Something OMAP-related, I don't know for sure. All I know is that the reward is some nice cash."
When the word spread, we could have an unlocked bootloader within a month.
Yet, we got a single issue to deal: how to ensure the person who gives us the SW first will actually receive the cash? I've seen a few bounties here before, but them all were settled by XDA devs (so the bounty keeper could just donate the sum to that dev), never saw something like paying "outsiders".
One of my friends (Defy+ user) has a contact with a Motorola service guy. He says that that guy knows everything about Motorola software and he's with us because he himself uses custom ROMs and controls an entire service center. He's ready to take my device under warranty though it's rooted along every single hack/MOD for Defy installed
Will try contacting him
And let's post this in the forums of all other locked Motorola devices with OMAP 3xxx chips.
Sent from my MB525 using XDA App
swapnil360 said:
One of my friends (Defy+ user) has a contact with a Motorola service guy. He says that that guy knows everything about Motorola software and he's with us because he himself uses custom ROMs and controls an entire service center. He's ready to take my device under warranty though it's rooted along every single hack/MOD for Defy installed
Will try contacting him
And let's post this in the forums of all other locked Motorola devices with OMAP 3xxx chips.
Sent from my MB525 using XDA App
Click to expand...
Click to collapse
Talk with this guy. If he has access to a copy of TI's SW, and handle it to us, I'm pretty sure we could him get a nice reward. Not as high as if putting a bounty, but definitely enough to make the effort worth it.
I mean, supposing that this is actually gonna help unlock EVERY OMAP 3 (and possibly all OMAP-based phones) out there, and that this way the process is reversible (at least to me, it looks like no eFuse is being blown there, you know, assistance technicians can't just blow eFuses like that - taking the phone to the assistance under warranty shouldn't void it, and that's what a blown eFuse would do), loads of people would help. Imagine a single dollar from every OMAP 3 XDA user (take a look here for an INCOMPLETE list of OMAP 3 devices with ~30 ANDROID ONLY phones/tablets), that would make a lot of money.
this is good....and i think it will be best to not mention the location,identities,or any hint of similarities of the perosn source once you guys get contacts & manifests from that guy(source). so as not to compromise his profession.
he could be fired & worse can be sued by leaking private details.
best discuss it in private,after getting in touch w/ him...
just a tought of CAUTION...
hailmary said:
this is good....and i think it will be best to not mention the location,identities,or any hint of similarities of the perosn source once you guys get contacts & manifests from that guy(source). so as not to compromise his profession.
he could be fired & worse can be sued by leaking private details.
best discuss it in private,after getting in touch w/ him...
just a tought of CAUTION...
Click to expand...
Click to collapse
Yeah we would ensure him that.
I'll help u out....juzz tell me what to get from moto officials
hemil said:
I'll help u out....juzz tell me what to get from moto officials
Click to expand...
Click to collapse
do u know motorola mobility service center in mbai?
we only hav private shops with motos certificate...
i dont think they can help...
all they say is we'll send it to factory(?)
Sent from my MB525 using xda premium
@hemil Please pm me.
hemil said:
I'll help u out....juzz tell me what to get from moto officials
Click to expand...
Click to collapse
Hey buddy... just wait for my call today...
Sent from my MB525 using XDA App
Putting up an ads offering money for violation the law may be a bit problematic. No website will be excited to host it. Another issue is that in the end someone will have to actually post it, someone in particular. And that one person will be in danger of being a subject of interest of various law enforcement agencies. You know, at the end of the day they always want someone to put the responsibility on, the culprit, a scapegoat. So you make heat and you put some particular person into it even before there is any result.
I would prefer to focus more on personal face to face private communications with the service guys. It's harder to prove and if something goes wrong (the guy records it etc.) our guy can always say he was just kidding, bullshitting, bigmouthing.
Anyway, if you are thinking about this seriously, here are few remarks.
don't offer the particular sum, it's not tactical; not even here should be mentioned any particular number; instead, let the service guy ask his price
if the first contact with a potential source is established, ask first for a proof; specify what the proof is supposed to be (a screenshot? a video recording of the software in action?)
figure out a way how to actually collect the money; people are willing to donate but they will not donate to anyone, only to someone trustworthy (but Epsylon will surely want to have nothing to do with everything even remotely questionable, let alone illegal); the "collector" will be under the lights, he may get attention of people we don't want to deal with
who actually will be allowed to donate? anyone? how to avoid an agent to donate and then simply track where the money is going?
figure out a way how to actually make a safe and smooth deal (money <-> software); will it be in person or electronically? how to verify we are given what we paid for? classical problem: no one of both parties is willing to make his move first, but we can't give away the money for a software we would start verifying not until the money is gone
figure out how to avoid being robbed (fake offers from people who would want to grab the money and run away) as well as being caught (fake offers from the dummy guy - LE agent); in both cases the correct proof might be given, though, but the intentions are wrong
For the particular mechanics of the exchange in person, one of numerous possible ways may go like this:
our guy comes with an intentionally bricked Defy repairable only with the software in question together with the ordinary USB cable (or without, if special USB cable is needed; in that case the cable must be part of the deal), and with an empty flash drive recognizable at the first sight; no money on him
our guy passes the flash drive and the Defy (and the USB cable, if no special cable is needed) to the "source" and watches closely
the source copies the software onto the flash drive, runs the software from the flash drive, connects the Defy via the cable provided and actually unbricks the phone (this must be more elaborated on; what if the software uses some libraries from the windows directories etc. which are not copied onto the flash drive? he may or may not have the installer, but just copying the installer isn't enough, he would have to copy the installer on the flash drive, then run the installer from it and install it back onto the flash drive and run it from there)
our guy gets the phone (and the cable) back, the source unplugs the flash drive and keeps it for now, our guy watches the flash drive is not connected to anything from now on
now the software is copied onto the flash drive and verified it's working, thus ordinary hand-to-hand exchange may proceed; our guy didn't bring the money to avoid being robbed, they both now may go grab the money or our guy may call his buddy with the money etc. (also needs to be heavily elaborated on)
Sensitive parts must be detailed in-depth, I am just indicating the outline, one of many possible. Still it's very far from perfect.
As you can see it's not that easy and there are many potential points of failure so this action may never really come to the practical realization.
What about a little bit different or alternative ways? Are there any? It would be useful to ask Epsylon what he would actually wish for the most - had he been able to wish for anything.
isn't it illegal to post copyrighted stuff and also its against forum rules..
i mean that if someone gets his hand on that super tool, then how can he shares it with us???
rishi2100 said:
isn't it illegal to post copyrighted stuff and also its against forum rules..
i mean that if someone gets his hand on that super tool, then how can he shares it with us???
Click to expand...
Click to collapse
huh !! think about moto when they actually ditch us with promises ? whats wrong if what we are screaming for last 1 year . and didnt get any updates ? huh think about tht before u speak about illegal stuffs . if moto is doing all sought of ways to keep us away from our rights . what we do undercover to get us right can no way be questioned when we have told thousands of times that we need updates .
more over the authority can question us only and only when they are themselves self guilt free .... but instead they are pretending to be saint sitting behind the curtains and doing all sought of locking stuff to deprive us of our rights
@jhonsmithx Let's not get ahead of ourselves. First of all lets concentrate on getting the source. Also I urge users to use a bit of social engineering to do that(using fb/g ). We'll put together a plan according to the situation after that. Also note that this is a pretty long shot. We might not get a source after all.
rishi2100 said:
isn't it illegal to post copyrighted stuff and also its against forum rules..
i mean that if someone gets his hand on that super tool, then how can he shares it with us???
Click to expand...
Click to collapse
I could think of atleast 10 ways to share anonymously. Though I wont be posting them here.
With the signing key or certificate we could just sign our own kernels and wave knox goodbye while keeping the warranty, right?
Can't this be cracked somehow? or maybe someone from samsung is nice and leaks? =)
I sooo want to get rid of knox completely but don't dare to purposely trip the flag yet....
I think the only way to succeed would be to be able to sign our own kernels for knox or find some other exploit to break out of the boundaries of selinux enforcing mode. (or to get this thing turned off..)
But to run custom recoveries and kernels without tripping knox we'd still need to be able to sign those.
---
One time, cmon!
EDIT: Ohh forgot to say that I would put 20$ into the "samsung knox root cert leak fund" - maybe we can get smth started hehe
(like in the thread where people collect for a method to restore knox to 0x0..just with a lil different approach *evilgrin*)
You don't "crack" digital signatures like this, you'll be at that until the end of time. You're also not going to get some Samsung employee selling it, either, because the only people that have access to this stuff will be higher-ups getting paid a lot more than this bounty will ever reach. Not just that but it's not worth being blacklisted from the entire industry.
neoKushan said:
You don't "crack" digital signatures like this, you'll be at that until the end of time. You're also not going to get some Samsung employee selling it, either, because the only people that have access to this stuff will be higher-ups getting paid a lot more than this bounty will ever reach. Not just that but it's not worth being blacklisted from the entire industry.
Click to expand...
Click to collapse
Tell that to Sony or the movie industry., Microsoft, direct TV, bell, dishnet.
Sent from my Telus SM900N-W8 via XDA Premium App
JohnnyRebel said:
Tell that to Sony or the movie industry.
Sent from my Telus SM900N-W8 via XDA Premium App
Click to expand...
Click to collapse
Sony failed at their implementation of RSA, I very much doubt Samsung has made the same mistake. As for the HDCP leak (I presume that's what you're referring to), that was reversed through a weakness in the algorithm. RSA has no such weakness if done correctly.
neoKushan said:
Sony failed at their implementation of RSA, I very much doubt Samsung has made the same mistake. As for the HDCP leak (I presume that's what you're referring to), that was reversed through a weakness in the algorithm. RSA has no such weakness if done correctly.
Click to expand...
Click to collapse
You know your stuff better then me, but I'm praying your not right. No offense but I'm trying to remain the optimist. Everything man made can be broken. I like to think with time a way will be found to fake or mimic the signature. Obviously if that day comes Knox will probably long since been comprimised. Since this is their first implementation of Knox I'm sure there's flaws that hopefully get stumbled across. I'll be more worried about Knox 2. The only thing that might stop man from trying would be if Samsung proved it irrelevant. Eg. Honoring warranty with Knox tripped, or reseting Knox for a small fee.
Sent from my Telus SM900N-W8 via XDA Premium App
JohnnyRebel said:
You know your stuff better then me, but I'm praying your not right. No offense but I'm trying to remain the optimist. Everything man made can be broken. I like to think with time a way will be found to fake or mimic the signature. Obviously if that day comes Knox will probably long since been comprimised. Since this is their first implementation of Knox I'm sure there's flaws that hopefully get stumbled across. I'll be more worried about Knox 2. The only thing that might stop man from trying would be if Samsung proved it irrelevant. Eg. Honoring warranty with Knox tripped, or reseting Knox for a small fee.
Sent from my Telus SM900N-W8 via XDA Premium App
Click to expand...
Click to collapse
Oh don't get me wrong, I firmly believe that nearly anything can be hacked given enough time. I would be surprised if Knox is still an issue 6 months from now, I just don't think we'll see the RSA key signature for it any time soon. I'm hoping we'll just find a way to reset it, or at least stop it from being tripped in the first place. The good news is that it would appear to NOT be a hardware efuse of any kind, so keep those fingers crossed.
neoKushan said:
Oh don't get me wrong, I firmly believe that nearly anything can be hacked given enough time. I would be surprised if Knox is still an issue 6 months from now, I just don't think we'll see the RSA key signature for it any time soon. I'm hoping we'll just find a way to reset it, or at least stop it from being tripped in the first place. The good news is that it would appear to NOT be a hardware efuse of any kind, so keep those fingers crossed.
Click to expand...
Click to collapse
Yes, your belief is correct, the "enough time" is true, but...
To crack a 2048 bit key, with a traditional desktop (2.2ghz CPU), it would take roughly 1.5 million years. I am not sure how strong is the key that Samsung has, but it is going to be way out of our life expectancy to crack anything like that.
The development of quantum computer will reduce that into something that is very well manageable, but we are not anywhere close. And nature of quantum computing is that you will never get 100% correct answer. It will be the best guess (I am WAAAAAAAAAAY over-simplifying this), but still has a chance not to be 100% correct.
Long story short, unless it's a really crappy implementation, or you manage to get a hold of the private key, you ain't going anywhere. Sorry
Meanee said:
Yes, your belief is correct, the "enough time" is true, but...
To crack a 2048 bit key, with a traditional desktop (2.2ghz CPU), it would take roughly 1.5 million years. I am not sure how strong is the key that Samsung has, but it is going to be way out of our life expectancy to crack anything like that.
The development of quantum computer will reduce that into something that is very well manageable, but we are not anywhere close. And nature of quantum computing is that you will never get 100% correct answer. It will be the best guess (I am WAAAAAAAAAAY over-simplifying this), but still has a chance not to be 100% correct.
Long story short, unless it's a really crappy implementation, or you manage to get a hold of the private key, you ain't going anywhere. Sorry
Click to expand...
Click to collapse
Sorry, I know you're trying to be helpful, but I don't think you've read the whole of my post, or indeed the previous post I made on the subject (second post in this thread). There is also an important distinction between "hacking" something and just brute forcing something as well. By "hacking" RSA, I'm really talking about finding a weakness in the algorithm that either allows derivations of the key or much faster brute forcing. Still, a lot of research has gone into this and although RSA is beginning to be considered insecure, it's not quite utterly broken yet for large keys (2048bit and above), but large keys are too computationally intensive. That's assuming RSA is in play here, it could equally be ECC and in that case, we're definitely ****ed.
Meanee said:
Yes, your belief is correct, the "enough time" is true, but...
To crack a 2048 bit key, with a traditional desktop (2.2ghz CPU), it would take roughly 1.5 million years. I am not sure how strong is the key that Samsung has, but it is going to be way out of our life expectancy to crack anything like that.
The development of quantum computer will reduce that into something that is very well manageable, but we are not anywhere close. And nature of quantum computing is that you will never get 100% correct answer. It will be the best guess (I am WAAAAAAAAAAY over-simplifying this), but still has a chance not to be 100% correct.
Long story short, unless it's a really crappy implementation, or you manage to get a hold of the private key, you ain't going anywhere. Sorry
Click to expand...
Click to collapse
Tbh that's actually a very good example of explaining quantum computing - though unless anyone has 6 months exclusive access to a multi million/billion dollar quantum computer, I think you guys can pretty much rule out either a cracked code or a key being leaked, these private keys are literally the one thing a developer or OEM never, ever wants to be leaked as with it you can sign firmware + do untold mischief. I honestly wouldn't be at all surprised if only one or two Samsung employees have access to this key.
IMO your probably much better off with going down the usual exploit root of finding a security flaw and exploiting it.
Jonny said:
Tbh that's actually a very good example of explaining quantum computing - though unless anyone has 6 months exclusive access to a multi million/billion dollar quantum computer, I think you guys can pretty much rule out either a cracked code or a key being leaked, these private keys are literally the one thing a developer or OEM never, ever wants to be leaked as with it you can sign firmware + do untold mischief. I honestly wouldn't be at all surprised if only one or two Samsung employees have access to this key.
IMO your probably much better off with going down the usual exploit root of finding a security flaw and exploiting it.
Click to expand...
Click to collapse
Back closer to topic a little (though this is interesting!)... in the Knox white paper, Samsung states that it's possible to change the root key on the phone that establishes the whole downstream chain of trust (boot loader, kernel, ...). Apparently this is a legal/security requirement for certain government agencies, but whatever the reason, there is a protocol in place to get one's own root CA cert signed by Samsung and then have that installed at the root level of the phone. Samsung is pretty explicit in saying that this means you will need to roll all of the system software yourself, so I think they really do mean the key used at the lowest level we would care about.
I've idly thought of writing Samsung with complaints about how Knox interferes with some normal operation of the phone, and ask them to either sign a key I can use to install a development FW, or provide a properly signed dev FW, or at least provide a method for hooking and controlling the Knox/SEAndroid subsystem. I realize the likelihood of success is low, but could it really hurt to ask?
p
Hey all. Currently, evilpotatoman has gotten us closer than ever to achieving root with our phones. He's out of commission at this time until his device back comes in, which could take 2 weeks or more. He has extended the torch to any dev who might be interested in taking a crack at it with his notes (included below). Reference the bounty thread here for details about the bootloader/root bounty information.
!!!!PLEASE DO NOT POST YOUR BOUNTY AMOUNTS HERE!!!! DO IT IN RAYLON00'S THREAD FOR CONTINUITY: http://forum.xda-developers.com/showthread.php?t=3339857
evilpotatoman said:
Here's where it's at, but first a few notes and thoughts;
A) Even after upsetting dm-verity, the system remained somewhat stable*
*The only issues I see are the system:custom message, an unlocked boot logo, and that the stock installer refuses to install anything but FOTAs or a sec_csc.zip flashed on the CACHE partition. If cleared, the system boots up normally
B) It's extremely difficult to reverse dev this device - Every piece of secure-trust-knox-DRK-verity-crapola increases the chance of a misstep and ending up with a really nice IOT brick. Because of all this security, looking for buffer overflows and random execs would take ages. I focused on stupid programming mistakes, sifting through log files, much like I did when developing the original Note 3 recovery method.
C) The HOME_CSC partition file that seems to fail typical odin flashes -- It sets something permanent, like kind of hard-coding the verity keys. During my testing, I flashed one only to later realize that my CSC was then hard-coded to Chinese branding. Before that flash, I could mess around with the branding at will (and subsequently write to the system partition). It was only after I flashed that CSC_HOME that dm-verity actually failed. In short -- I had root BEFORE download mode labeled my system as custom. I flashed HOME_CSC, dm-verity then failed when I changed the CSC following the hard-code.
I have yet to fully re-create my EFS partition, and sent it to someone who wears darker hats than I for a fix. Because I won't have the phone for a while (at least 2 weeks), I've decided to give a brain dump in hopes that someone can pick up where I left off.
PM me for additional details, but the following should get better devs searching for a more stable method.
sec_csc.zips (found in cache.img.ext4) can be used to modify the system partition, and the partition itself isn't signed. Those zips also set the region.
*A particularly interesting csc zip exists for the G9300's CSC file.....
Odin happily flashes specific "partitions" individually, so piece-meal it out.
nand partitions can be written to while still failing in odin (but system.img is signed in 2 places, so fyi)
The exploit leverages those download-mode/recovery, plus the stupid programming error found below:
on the stock firmware, there's a boot script that calls a missing binary, which is a perfect -in- for the su daemon.
Click to expand...
Click to collapse
You can PM evilpotatoman here: http://forum.xda-developers.com/member.php?u=2322344
Very cool! This looks promising
Sent from my SM-G935P using Tapatalk
maybe @jcadduono can do something here?
Holy ****! This is big news!
seanvree said:
maybe @jcadduono can do something here?
Click to expand...
Click to collapse
He does not have a s7, so I doubt he can help much
Maybe jcase can work on boot loader and root
Sent from my Nexus 6 using Tapatalk
@jcase and @beaups come to mind.
I'd love to see this take off. To that effect, may I suggest contacting the dev you're wondering about and asking (POLITELY) if they intend to or are willing to contribute to this project?
Additionally, since we have nearly $2000 pledged for a root method, we can set up a fund to get the devices in the hands of the devs willing to work on the issue that may not have a device, starting with @evilpotatoman if he needs it. This might also give people who were apprehensive about contributing to the bounty another option to support this endeavor, and gives the rest of us a way to actively contribute instead of saying "here's your prize if you win."
Someone could even act as a third party to set up the fund (be it gofundme or something else, I need to research options). We may not all know how to fight on the front lines, but there are definitely ways the rest of us peons can actively support the effort instead of being passive and hoping it eventually happens because someone else did it.
Thoughts, suggestions, questions?
@jcase hacked the unhackable black phone.... I ask him on Twitter but he didn't say if he would have time to do it or not...
Sent from my Nexus 6 using Tapatalk
Tagging him won't help. I don't think he likes to tagged often. I'm talking about jcase. If he wants to he will. Since evilpotatoman has opened up this whole new scenario. I hope all the devs see it and try to put on their magic. But yes. I have my bet on jcase. Have seen his work from a while back. A mastermind I must admit.
Sent from my SM-G935T using XDA-Developers mobile app
Mew351 said:
Holy ****! This is big news!
Click to expand...
Click to collapse
No it isnt, this is exactly zero news.
That entire post is wrong, it is full of basic factual errors that make question if its a troll, or a misunderstanding of how these things work.
I may nitpick it when I get home if anyone disagrees with my evaluation of it, but a simple view:
a) messing with dm-verity wouldnt cause system stability issues at all, either it would boot or not.
b) reverse engineering this device is no harder than previous ones, there is no insane obfuscation or anything (just some simple obfuscation). Standard toolsets would work ehre.
c) The "custom" symbol is just a sign of tampering, in fact I could make a standard app to cause it. It wouldn't stop or remove root from a system.
The whole post in general is gibberish.
Dont start funds for developers who need phones, too many times it comes out bad.
We allow bounties, but funds need to be pledged not held by a single person, and they should not be paid out unless the project is completed, and posted (and is of primarily original work).
psych0r3bel said:
I'd love to see this take off. To that effect, may I suggest contacting the dev you're wondering about and asking (POLITELY) if they intend to or are willing to contribute to this project?
Additionally, since we have nearly $2000 pledged for a root method, we can set up a fund to get the devices in the hands of the devs willing to work on the issue that may not have a device, starting with @evilpotatoman if he needs it. This might also give people who were apprehensive about contributing to the bounty another option to support this endeavor, and gives the rest of us a way to actively contribute instead of saying "here's your prize if you win."
Someone could even act as a third party to set up the fund (be it gofundme or something else, I need to research options). We may not all know how to fight on the front lines, but there are definitely ways the rest of us peons can actively support the effort instead of being passive and hoping it eventually happens because someone else did it.
Thoughts, suggestions, questions?
Click to expand...
Click to collapse
jcase said:
Dont start funds for developers who need phones, too many times it comes out bad.
We allow bounties, but funds need to be pledged not held by a single person, and they should not be paid out unless the project is completed, and posted (and is of primarily original work).
Click to expand...
Click to collapse
Fair enough. I probably should have checked to see if there was any rule against this. Regardless, from a common sense standpoint you make...well, sense. Wrote myself into a corner there. >.>
As for the entire OP being gibberish...you're essentially saying we're back at square one, or is he at least barking up the right tree, in your opinion? As you can tell, I'm a little overzealous when it comes to this phone getting root lol.
jcase said:
No it isnt, this is exactly zero news.
That entire post is wrong, it is full of basic factual errors that make question if its a troll, or a misunderstanding of how these things work.
I may nitpick it when I get home if anyone disagrees with my evaluation of it, but a simple view:
a) messing with dm-verity wouldnt cause system stability issues at all, either it would boot or not.
b) reverse engineering this device is no harder than previous ones, there is no insane obfuscation or anything (just some simple obfuscation). Standard toolsets would work ehre.
c) The "custom" symbol is just a sign of tampering, in fact I could make a standard app to cause it. It wouldn't stop or remove root from a system.
The whole post in general is gibberish.
Click to expand...
Click to collapse
psych0r3bel said:
Fair enough. I probably should have checked to see if there was any rule against this. Regardless, from a common sense standpoint you make...well, sense. Wrote myself into a corner there. >.>
As for the entire OP being gibberish...you're essentially saying we're back at square one, or is he at least barking up the right tree, in your opinion? As you can tell, I'm a little overzealous when it comes to this phone getting root lol.
Click to expand...
Click to collapse
Well he did manage to get root so I don't know how it is all gibberish.
jakebake102 said:
Well he did manage to get root so I don't know how it is all gibberish.
Click to expand...
Click to collapse
I don't believe you or him on that. It is gibberish because its factually wrong, if it wasnt factually wrong I wouldnt have a reason to doubt someone in particular got root. When you make it apparent you are making stuff up or dont know what your talking about, it casts a major doubt.
Plus the proof shown, just showing that syscope got tripped, its not showing root, its not showing unlock, its literally showing nothing of any indication.
jakebake102 said:
Well he did manage to get root so I don't know how it is all gibberish.
Click to expand...
Click to collapse
It is possible to see and not understand. Often times an opinion held about the cause of a specific behavior in a complex system can be premature, and when new information comes to light suddenly all of the indicators that pointed to one cause suddenly mean something very different. The problem comes not with forming these theories about what causes a behavior, but in voicing that opinion before it is fully vetted out by your own tests.
In short, it is possible to be right about what you see, but wrong about what caused it.
jcase said:
I don't believe you or him on that. It is gibberish because its factually wrong, if it wasnt factually wrong I wouldnt have a reason to doubt someone in particular got root. When you make it apparent you are making stuff up or dont know what your talking about, it casts a major doubt.
Plus the proof shown, just showing that syscope got tripped, its not showing root, its not showing unlock, its literally showing nothing of any indication.
Click to expand...
Click to collapse
Ok well thanks for looking this over.
jakebake102 said:
Well he did manage to get root so I don't know how it is all gibberish.
Click to expand...
Click to collapse
Everyone beat me to it, but yeah. He said it, hasn't proven it. If he managed to get root, great. I gave him the benefit of the doubt, but now we have a known dev basically discrediting everything based upon his own expertise.
So from this point forward, the onus of proof is on the OP to prove he has/had root. Nothing a screenshot can't prove. It's entirely possible he did get root, but for a different reason than he stated, and posting his proof opens up the floor for a discussion on the exact process. The result doesn't produce the method, so maybe he stumbled upon root by chance in the midst of his work, which led him to think his method worked. Too many variables. That's why we discuss these things.
jcase said:
No it isnt, this is exactly zero news.
That entire post is wrong, it is full of basic factual errors that make question if its a troll, or a misunderstanding of how these things work.
I may nitpick it when I get home if anyone disagrees with my evaluation of it, but a simple view:
a) messing with dm-verity wouldnt cause system stability issues at all, either it would boot or not.
b) reverse engineering this device is no harder than previous ones, there is no insane obfuscation or anything (just some simple obfuscation). Standard toolsets would work ehre.
c) The "custom" symbol is just a sign of tampering, in fact I could make a standard app to cause it. It wouldn't stop or remove root from a system.
The whole post in general is gibberish.
Click to expand...
Click to collapse
Hey jcase (I know you from the old days on XDA, just a bit undercover now for XDA reasons.) Anyway, please don't let the excitement of some folks turn you off to this whole idea. These Qualcomm variants of the S7/Edge are majorly great devices, and root would be ****ing awesome for everyone, so people are gonna get worked up about it. You KNOW how XDA gets. If you believe that there might be a straightforward exploit available, similar to the CID directory exploit that was used in the VS5, please pass on any help you can. (Or even if it has nothing to do with that route.)
All I know is that if you, or bceups, or anyone could actually help make this happen (and this is definitely a "they say it'll never happen" moment, like the Evo3d or the VS5) then you'd be rockstars of the community, more than you are now, however much that means to you. (It means a lot to me, I promise you.) If you think there's hope, and you're willing to give it a shot, ****ing bad ass... If not, maybe PM evilpotatoman and give him a nudge in the direction you'd think would work best.
Either way, I, and I'm sure every GS7/EDGE customer in America who's into Android, definitely have your back.
Let us know your thoughts, and if there's actually a ray of hope.
That's all I got.
Peace, bro.
Edit: and, btw, there IS some big bounty or something to boot, lol.
..