Related
Hi,
I think we should start hacking the Bootloader now or should list all things we have to get rid of:
- Bootloader Signature Check
- maybe efuses!?
Regards
Actually, that was my first idea too. If we could get it to run gPXE or such we would have it cracked.
I also tried accessing the device in Bootloader and in recovery mode, but on linux I did not get any device offered so I also could not access it via console or such.
I guess getting console access for the bootloader would be the most awesome step.
Hi,
realy good idea.
But people does for milestone too.
But now way :-(
Which not mean, we couldn´t give it a try.
Have a look at this page:
https://www.droid-developers.org/wiki/Main_Page
There are the ways and helps, how moto encrypt the bootloader.
Its an RSA Key 1024.
To crack it, wouldn´t be easy.
I hope you are realy good hacker and have realy good knowligde about this kinds.
If i could help you, i will do it.
would realy nice if we could combine toghether over msn or icq to help each other.
A NEW HOPE ... )
Hi,
well thats pretty good
I will read me trough the Wiki
I guess we have to rent a Cloud e.g. at Amazon (EC2) and then we could use the Power of it to encrypt the Bootloader.
OK thats spoken easier as it is but would be one thing we could do.
Regards
the|gamer said:
I guess we have to rent a Cloud e.g. at Amazon (EC2) and then we could use the Power of it to encrypt the Bootloader.
OK thats spoken easier as it is but would be one thing we could do.
Click to expand...
Click to collapse
Sounds nice, but I guess with a 1024bit Key this would be a bit expensive.
What I don't understand is that for encryption is some public and some private key, right? So to check the signed bootloader the private key must be stored somewhere on the phone. That just sounds too easy...
Hi,
there ist also a Cloud Project called "MilestoneRSA" based on the Boinc Network, everyone can download the Client and can help decrypting the RSA Key...
So if the Keys are the same that would help us.
Regards
It's nice to have ideas and try new things, but sadly that BOINC project is not being realistic. I'll quote a comment from Reddit:
Assuming you can try 10^9 keys per second one one CPU (more or less one per two CPU cycles), and assuming you have 10^80 CPUs (one per every atom in universe), you'd need 10^55 years to have 1% chance of breaking that key by brute force. And our universe exists for ~1.5*10^10 years.
The only brute force viable here is breaking into Motorola by brute force and stealing the key.
Click to expand...
Click to collapse
i've a boinc client installed on my box. but i don't find the milestone-project.
let me know if you need my box for breaking the key.
regards
Hi,
I am sure that the Bootloader will be cracked, its just a matter of time
Regards
You realy think positiv
I guess we wont.
But we will find a nother chance.
What about a new bootloader?
Cant we make us a bootloader?
The bootloader is signd itself.
But what about make it public and chance some kinds in the firmware?
Cant we rewrite it?
What is the kind of hardware how check the bootloader?
Think about it
Hi,
I did not looked at the problem from that side
Thats a really good Idea, but writing a new Bootloader from scratch will be as difficult as cracking the existing.
Regards
Hi, i dont know.
But think,
we have got the bootloader image!
Why we can´t chance settings and flash it back?
where is the problem to flash this firmware?
There must be a small pice of hardware how doesn´t allow us.
Pleas could make someone a dump from bootloader?
But i guess, a lot of people think about this!
This is same as decrypt. :-(
No chance i believe.
can't just rewrite the bootloader, propably most everything in this device has its own signature, and they propably check each other.
so, besides jailbreaking INTO motorola headquarter and steal the key, it would be easier to write a whole new software for that thing an make your own signatures open source.
best chance is, IMO, write a petition to moto and kindly ask for it, or find some moto dev an either hijack or bribe him ^^
Check https://www.droid-developers.org/wiki/Booting_chain for the Boot Chain. It's for the milestone, but I guess defy won't be much different.
Replacing the Bootstrap with gPXE and the Bootloader with GRUB shouldn't be too hard, but I guess the real problem are stage 1 bootrom which is on chip and flashing the whole thing which likely will also check the signature.
Who can do that?
I can´t.
My knowledge is not so deep.
Please could someone try it?
But what about performance?
Better?Worser as orginal boot?
Same like 2ndboot?
Slower?
Hi,
I think we should go and search for security vulnerabilities in the Bootloader, when I get my Defy I will try some things.
Regards
For botloader decryption, a good start point is the page on wikipedia about the RSA encryption: http://en.wikipedia.org/wiki/RSA
martinml said:
It's nice to have ideas and try new things, but sadly that BOINC project is not being realistic. I'll quote a comment from Reddit:
Assuming you can try 10^9 keys per second one one CPU (more or less one per two CPU cycles), and assuming you have 10^80 CPUs (one per every atom in universe), you'd need 10^55 years to have 1% chance of breaking that key by brute force. And our universe exists for ~1.5*10^10 years.
Click to expand...
Click to collapse
Are you sure the number you are quoting is right? Maybe it is some really dumb brute force method, of trying one key at a time. But knowing the algorithm, you can at least launch an brute-force prime factorization atack.
I don't understand much on cryptography, but over the internet people comment that in under a decade the 1024bit RSA algorithm should not be secure anymore. Acording to this xkcd thread, an bruteforce aproach to crack an 1024bit RSA key is "only" about 13 millions of current CPU-years. And this paper from 2003 sugests that one could break an 1024bit key in one year, with some 10 millions worth of custom hardware on 130nm (based on many assumptions). Today it would be less, but still prohibitively expensive.
An quicker way would be finding some weakness in the RSA algorithm, that decreases by some orders of magnitude the theorical computational power needed. Or discovering an more efficient way to factor big primes. Many groups of mathematicians have being working for years trying to solve those problems, but no results yet. But we can aways hope that someone will find the answer next year.
What is on reach for defy hackers is finding some vulnerability in the implementation. Maybe torturing the botloader till it tells us the key. Maybe this method, can work. Or some vulnerability on the padding algorithm, or something else.
And then there are the political means... making a pettion to Motorola (already sugested here), making a laws outlawing all forms of DRM and threacherous computing, and forcing the companies to disclose their keys (one of the main proposals of many pirate parties...)... but both are hard to be heard and put foward.
I had a litte chat with the guys from droid-developers.org on IRC today and they said that 2ndboot still is the best option. To me this also sounds really nice, since you can boot any kernel with activated usb console debugging from your running android.
That way we could also watch the boot process and maybe find out more about the hardware without changing anything (except for runtime changes), so a simple reboot should always work.
Ok, but who can compile 2ndboot for us?
I had also a Chat with this guys, but they told me, that a problem with the gsm modem!
So we could´t use the defy anymore.
But we have a custom kernel inside.
Dont understand this.
But how can we do this?
http://www.wix.com/palmercurling/project-bootloader-freedom
seems that kexec methods works...and probably today or tomorrow source code will be released....
if that's true, then it'll be good news
that will make Dexter porting of 2.2 even easier
Hm... Maybe if this work.. Dexer can try with 2.3
grigorbg said:
Hm... Maybe if this work.. Dexer can try with 2.3
Click to expand...
Click to collapse
Dexter already explain why 2.3 is not going to work
He didn't say it's not gonna work, he say it MIGHT not work but he'll test it. That's what he said.
Vistaus said:
He didn't say it's not gonna work, he say it MIGHT not work but he'll test it. That's what he said.
Click to expand...
Click to collapse
Well, he said that 2.3 may need newer kernel, not an 2.6.29 that works on xt720, cause of bootloader...
So, i hope that will helps!
That's what I meant. Sorry for the confusion. He said MAY need a newer kernel, but it's not clear yet 'cause he doesn't have the XT720 yet nor 2.3, so maybe it'll work.
And btw, I dunno if you guys actually read the first post in this thread but if the bootloader is cracked in some way, then it doesn't matter anymore 'cause we can flash any custom kernel then.
Sure, it's only was message about why Dexter says it's not going to work.
People from droid-developers.org also already tried much attemps... with kexec also...
For now.. no success =(
Motorola just marked the request to unlock the Droid X bootloader as "Implemented" here!!!:
http://getsatisfaction.com/motorola/topics/please_unlock_the_droid_x_bootloader
This may be related to:
http://www.droid-life.com/2011/01/1...bootloaders-looks-to-partner-with-developers/
which links to a Facebook response by Motorola that reads:
Motorola - We apologize for the feedback we provided regarding our bootloader policy. The response does not reflect the views of Motorola.
We are working closely with our partners to offer a bootloader solution that will enable developers to use our devices as a development platform while still protecting our users’ interests. More detailed information will follow as we get closer to availability.
Click to expand...
Click to collapse
I'm incredulous. I really don't want to get my hopes up. We need a "support group" and seven step program.
Edit: More coverage of the incident
http://androinica.com/2011/01/19/motorola-unsure-of-its-own-bootloader-policy/
http://nexus404.com/Blog/2011/01/20...m-users-to-go-away-then-begs-for-forgiveness/
why is the bootloader so difficult to crack?
Why is the bootloader so difficult to crack?
c_urbanek said:
Why is the bootloader so difficult to crack?
Click to expand...
Click to collapse
The short answer is that the security in the bootloader is based on very high quality mathematics.
Basically it's what's called a NP-complete problem (I think, I'm an armchair cryptographer only). Think of this this way, we have some sort of algorithm (equations are a kind of algorithm):
45 * x + 32 = 76
Now, there are two ways to find values of x that satisfy this equation. The way we are taught in school is to use the rules of arithmetic to convert the algorithm into a simpler algorithm that yields an expression we can evaluate directly. That's pretty fast.
Now assume you didn't learn how to do that and that nobody in the world knows how to do it. The other way to solve it is to try plugging in values of x on the left-hand side until you find a value that when evaluated gives 76. That way could take a very long time. In fact, you can calculate how long you expect it will take based on how long it takes to test a single value and the expected number of values you'll have to test. (On computers, numbers can be very large, but they can't be infinite)
Fundamentally, this gets to a very important unanswered question in computer science and mathematics called "P ?= NP" which essentially asks: can every possible algorithm be simplified somehow to be solved faster than plugging numbers (over simplified a bit) or are there some algorithms that can only be solved by trying different values until one works. Digitial cryptography is based on finding algorithms that can't be solved easily with current knowledge (the research question is can you find an algorithm and prove that it can never be simplified--again oversimplified a bit).
The bootloader uses one of these algorithms (in the sense that publicly nobody knows anybody that can simplify it--insert NSA conspiracy theories). I think I read somewhere that based on the keysize and using the best algorithms available to search the keyspace, the expected amount of time required to crack the key using all of the available computing power in the world is something like 15-30 years. There was the distributed cracking effort, but they were using very inefficient algorithms that supposedly would take at least over 1000 years (some people said it would take longer than the life of the universe). Some have said that hardware that should be available in five years should be able to break it in five years or something like that. I'm probably remembering the details wrong, but in any case it's not good news.
So, that leaves us with essentially five ways to crack the bootloader:
(1) Look for the key with the expectation to never find in the lifetime of the device,
(2) Find a bug in the implementation of the the bootloader itself (could be either a hardware or software bug),
(3) physically modify the phone to disable the check,
(4) find an efficient attack on the algorithm (i.e. prove this particular encryption isn't one of the mythical unsolvable ones),
(5) convince Motorola to just give it to us.
I picked this XT720 phone over iphone as it will be better with open source community will do new tech y things I will learn and enjoy best we can ever have as in phone. Motorola did tried to diminish the impact for product with the poor upgrade support. I was thinking of selling ( as most of us did thought before Dexter the man behind the rescue operation and best of this community ) my phone. Now i must say it has much better response, satisfaction and relief. This new news has now pumped up everything that we are going to be best in this competition. I think only we have to look for is the alternative for front camera ( something like usb camera attachment or something like that.. may be silly of me I am dreaming ) and this will be best product in the line. Love you people for making my wrong decision worth. Cheers to my XT720 community.
Thanks to all who joined hand for better:
@Mio: Indeed. Btw, number 3 or 4 is already solved by booting a ROM via 2nd init. That is what ROM-bakers do on the Milestone 2 and the Defy. We could do that too.
We need a top noch developer to crack this bootloader that's it.
Sent from my HTC Vision using XDA Premium App
Been thinking about this for a while. It's understandable with phones. companies don't want you to tether and not pay them that extra $40 fee per month. But why does a company like asus want to break our root? What possible advantage could bring to them for not allowing us root? I just don't get it.
The only reason I can think of, people modifying their tablet then sending it in for ASUS to replace when they brick it.
It's people like these that don't take the time to ask questions and Google for answers. It's a user's responsibility to know exactly what they are getting in to when they decide to modify their device.
Beamed from my TF101 using Tapatalk HD
The question is why did Asus decide to unlock the Transformer Prime (after all the web initiatives) very soon, and is not doing it for the Transformer (TF101)?
The main reason for wanting consumers to not root their tablets is for things like watching movies from the Android market which will not work on a rooted tablet. I still don't agree with it, as long as we the consumer understand and still want our devices rooted, then companies like Asus should allow this and stop making it hard. The average person not on XDA doesn't even know what rooting is, so why make it difficult for people who like to tinker with hardware that we paid good money for.
I think HTC has it right, if you want to unlock your bootloader they let you do it on their website. Let Asus know that we want this too. Personally I won't buy a phone or tablet without being able to root it. I don't buy phones on contract and want to do what I please with them. I have been using HTC phones for many years because they have always been XDA friendly
As long as we have the ability to have nvflashable ROMs then we don't have to worry about bricking our devices so Asus shouldn't have to worry about things like that either. Cheers.
ckuke4 said:
The main reason for wanting consumers to not root their tablets is for things like watching movies from the Android market which will not work on a rooted tablet.
Click to expand...
Click to collapse
I completely forgot about this.
In which case, we can now thank the Media MAFIAA for it.
raduque said:
I completely forgot about this.
In which case, we can now thank the Media MAFIAA for it.
Click to expand...
Click to collapse
Guess I should mention that there is a way around this but I haven't tried it as I watch market movies on my HTPC. Cheers.
Another issue has also been raised by the Win8 boot locking crapola. Namely maliciousness.
If only one entity can screw with the firmware, it is harder for e.g. a virus to screw with it, hopefully becomes almost as hard as loading home brew firmware. Imagine Moron20X installing Hot Naked Chix off PirateMarket, and it flashes hacked firmware with a keylogger onto their tablet - then have your "Support" people sweet talk Moron20X into a factory reset, and steal all his logins. Wouldn't work for a lot of people but hell, just look at how many people must fall for Nigerian e-mail scams and Western Union Screw Overs per capita if Wikipedia has such a thick article on 419 scams.
My word...I don't want to think about how many times my mother has brought me something and asked if it was 'legit', with an American address and a Canadian cheque. \o/.
Truth is though, unless these things are really owned by someone else (like say your company), users should have the choice. IMHO it's good for business to lock this stuff, as long as you can like input your SN and get an unlock for a nominal fee.
Sent from my Transformer Prime TF201 using Tapatalk
ckuke4 said:
The main reason for wanting consumers to not root their tablets is for things like watching movies from the Android market which will not work on a rooted tablet.
Click to expand...
Click to collapse
This is a false statement, atleast in my recourse it's bogus. I've watched "The Christmas Story" on my ROOTED TF101 and I've let my daughter watch a couple Disney Movies.
I will say that it breaks HDMI mirroring when i try to watch something via the market on my TV, but i can watch the movie on my tablet.
Spidey01 said:
Another issue has also been raised by the Win8 boot locking crapola. Namely maliciousness.
If only one entity can screw with the firmware, it is harder for e.g. a virus to screw with it, hopefully becomes almost as hard as loading home brew firmware. Imagine Moron20X installing Hot Naked Chix off PirateMarket, and it flashes hacked firmware with a keylogger onto their tablet - then have your "Support" people sweet talk Moron20X into a factory reset, and steal all his logins. Wouldn't work for a lot of people but hell, just look at how many people must fall for Nigerian e-mail scams and Western Union Screw Overs per capita if Wikipedia has such a thick article on 419 scams.
My word...I don't want to think about how many times my mother has brought me something and asked if it was 'legit', with an American address and a Canadian cheque. \o/.
Truth is though, unless these things are really owned by someone else (like say your company), users should have the choice. IMHO it's good for business to lock this stuff, as long as you can like input your SN and get an unlock for a nominal fee.
Sent from my Transformer Prime TF201 using Tapatalk
Click to expand...
Click to collapse
This is pretty much it, as far as I can tell. As the original post said, carriers have obvious interests (whether or not I agree with them) in maintaining control of your phone. But we want our tablets, which aren't bound to a contract with a service provider in order to function, to be more like our Windows PCs - largely under our complete control.
Which is understandable. And I feel the same way. But then, you know full well how secure Windows is[n't]. Android has a great track record so far with preventing malware and viruses from getting out into the wild in a big way, and the manufacturers probably feel that locked bootloaders and root restriction is the reason. I'm not certain I agree - Android has some good safeguards that go way beyond root - but whatever.
Ultimately, it's about user behavior. My Windows computer doesn't get viruses, because I know how to prevent that. But your average user doesn't, and when you connect a compromised computer (or tablet, or whatever) to the Internet, it endangers everyone, responsible and irresponsible alike.
Ultimately I don't agree with the top-down control imposed by Asus and the rest of the manufacturers, but from that perspective I guess it makes sense.
It's MAFIAA mostly. Asus even admitted it - saying it's because of DRM. If they can push ACTA in my country with such force our Prime Minister ignores massive demonstrations (something very uncommon in Poland) in -20 Celsius why wouldn't they push for closing up devices so they can "protect" their movies. It's because of Netflix and such - which doesn't even work outside US.
Before jb update i sent an email to Asus asking a few questions. They promise a reply within 48 hrs. 10 days latter i got a response which is actually faster than the last time. They did not answer my questions, they did however inform me i was unlocked. They did directed me to some info which i didn't bother with.
I was not unlocked at the time email, and the only reason i unlocked was all the problems i was having with jb update. I was only able to update and remain rooted through the help of the many good people on xda.
I don't tell these people thank you enough. Big shout out to the people of xda.
If you don't want Asus to know you have to keep modem off until you remove the programs that send info to Asus. Please post names i forgot them.
I tried to, but info got out anyway.
Woody
Sent from my ASUS Transformer Pad TF700T using Tapatalk 2
Kind of scary...
You can't unlock while not connected to the internet. The software checks in with their servers to do the unlock, so of course they know.
woodsonmh said:
Before jb update i sent an email to Asus asking a few questions. They promise a reply within 48 hrs. 10 days latter i got a response which is actually faster than the last time. They did not answer my questions, they did however inform me i was unlocked. They did directed me to some info which i didn't bother with.
I was not unlocked at the time email, and the only reason i unlocked was all the problems i was having with jb update. I was only able to update and remain rooted through the help of the many good people on xda.
I don't tell these people thank you enough. Big shout out to the people of xda.
If you don't want Asus to know you have to keep modem off until you remove the programs that send info to Asus. Please post names i forgot them.
I tried to, but info got out anyway.
Woody
Sent from my ASUS Transformer Pad TF700T using Tapatalk 2
Click to expand...
Click to collapse
As was said above the unlock tool HAS to verify with ASUS before unlocking your device. It sends ASUS a copy of your tabs S/N so that ASUS knows to no longer offer warranty services. What happened was they didn't get to your email until after the unlock, and when they pulled up the S/N on your email it flagged as unlocked device. I have not heard of anyone unlocking and ASUS not knowing.
Isn't this akin to contacting Apple support with a jailbroken iPad.
Eh, I'm okay with burning my warranty because of unlocking. It says multiple times, and in big letters, that you'll no longer be covered under their manufacturers warranty if you choose to unlock it. This really makes sense from a business standpoint, because there is a lot you can do to this tablet once it's unlocked, and a good chance of bricking. They don't want to devote the time or the money to support everything that can go wrong when you start flashing 3rd party roms, so they cut it out entirely.
Does it suck? Sure. Unlocking voids warranties on every phone though, just many manufacturers don't notice or take it in to account. Also, there have been accounts of people still getting service on their device even when it has been unlocked.
I like to think of it like this: I buy a car that has a highly customizable computer (timing, fuel mix, etc). This is fine, but I want more acute control of the settings, so I buy a mod chip to stick on there to gain low level access to settings that weren't necessarily designed to be modified outside their norms, even though the engine can take the modifications. In the process of tweaking the timing, I totally burn out the engine. Should I expect the manufacturer to fix my car now, since I just bought it? No, it was my fault it broke.
I realize that this is an analogy that falls short in many places. Android is, of course, FOSS, but it is designed to run on embedded systems. More and more these tablets and phones are given hardware more akin to an actual computer, so maybe the mindset of manufacturers should shift away from an embedded system and more to computers, but we're not there yet.
I haven't had a situation where I had to send in one of my unlocked Android devices for a software bricking, but I imagine most manufacturers will send it right back if they see that I unlocked it. Essentially Asus is cutting out that step by recording the serial number upon unlock. It's pretty big-brotherish, but they're not actively monitoring the information on our device. There was/is a big controversy over DMClient having access to all our information, but you can see exactly what information it is by going to devicetracker.asus.com (Note: Don't create an account if you don't want your information reported).
I'm sorry this has gotten a bit TL/DR. None of us like the idea of being punished for doing something we think should be a given Android right. It's important to keep in mind though that we're buying an Asus device running Android, not a Nexus device (regardless of the manufacturer). Asus reserves the right to provide any warranty they please, they're selling us this device after all. If you don't like their methods, they're well documented by now, maybe you should look in to another device. Asus doesn't care about you, or your information, they care about the products they're making and selling, and they'll support that product in any way they see fit. This isn't apologetic, this is just how it is.
Sent from my ASUS Transformer Pad TF700T using XDA Premium HD app
I was a little surprised this came up so fast. i could understand checking on a return but an email. Another thing they had to do is cross reference my email. I gave them no tablet info. I am registered. Ill use a different email next time.
I understood the risks when i did it and had pretty much decided root was enough. If i hadnt had such a hassle upgrading who knows. Now im glad i did. Having a great time with clean rom.
Woody
Sent from my ASUS Transformer Pad TF700T using Tapatalk 2
the_game_master said:
Isn't this akin to contacting Apple support with a jailbroken iPad.
Click to expand...
Click to collapse
Seems more like contacting apple and because its been 10 days you jailbreak it and then they respond 'duh! your jailbroken!'
sent from LG optimus s (republic wireless) on tapatalk
With the signing key or certificate we could just sign our own kernels and wave knox goodbye while keeping the warranty, right?
Can't this be cracked somehow? or maybe someone from samsung is nice and leaks? =)
I sooo want to get rid of knox completely but don't dare to purposely trip the flag yet....
I think the only way to succeed would be to be able to sign our own kernels for knox or find some other exploit to break out of the boundaries of selinux enforcing mode. (or to get this thing turned off..)
But to run custom recoveries and kernels without tripping knox we'd still need to be able to sign those.
---
One time, cmon!
EDIT: Ohh forgot to say that I would put 20$ into the "samsung knox root cert leak fund" - maybe we can get smth started hehe
(like in the thread where people collect for a method to restore knox to 0x0..just with a lil different approach *evilgrin*)
You don't "crack" digital signatures like this, you'll be at that until the end of time. You're also not going to get some Samsung employee selling it, either, because the only people that have access to this stuff will be higher-ups getting paid a lot more than this bounty will ever reach. Not just that but it's not worth being blacklisted from the entire industry.
neoKushan said:
You don't "crack" digital signatures like this, you'll be at that until the end of time. You're also not going to get some Samsung employee selling it, either, because the only people that have access to this stuff will be higher-ups getting paid a lot more than this bounty will ever reach. Not just that but it's not worth being blacklisted from the entire industry.
Click to expand...
Click to collapse
Tell that to Sony or the movie industry., Microsoft, direct TV, bell, dishnet.
Sent from my Telus SM900N-W8 via XDA Premium App
JohnnyRebel said:
Tell that to Sony or the movie industry.
Sent from my Telus SM900N-W8 via XDA Premium App
Click to expand...
Click to collapse
Sony failed at their implementation of RSA, I very much doubt Samsung has made the same mistake. As for the HDCP leak (I presume that's what you're referring to), that was reversed through a weakness in the algorithm. RSA has no such weakness if done correctly.
neoKushan said:
Sony failed at their implementation of RSA, I very much doubt Samsung has made the same mistake. As for the HDCP leak (I presume that's what you're referring to), that was reversed through a weakness in the algorithm. RSA has no such weakness if done correctly.
Click to expand...
Click to collapse
You know your stuff better then me, but I'm praying your not right. No offense but I'm trying to remain the optimist. Everything man made can be broken. I like to think with time a way will be found to fake or mimic the signature. Obviously if that day comes Knox will probably long since been comprimised. Since this is their first implementation of Knox I'm sure there's flaws that hopefully get stumbled across. I'll be more worried about Knox 2. The only thing that might stop man from trying would be if Samsung proved it irrelevant. Eg. Honoring warranty with Knox tripped, or reseting Knox for a small fee.
Sent from my Telus SM900N-W8 via XDA Premium App
JohnnyRebel said:
You know your stuff better then me, but I'm praying your not right. No offense but I'm trying to remain the optimist. Everything man made can be broken. I like to think with time a way will be found to fake or mimic the signature. Obviously if that day comes Knox will probably long since been comprimised. Since this is their first implementation of Knox I'm sure there's flaws that hopefully get stumbled across. I'll be more worried about Knox 2. The only thing that might stop man from trying would be if Samsung proved it irrelevant. Eg. Honoring warranty with Knox tripped, or reseting Knox for a small fee.
Sent from my Telus SM900N-W8 via XDA Premium App
Click to expand...
Click to collapse
Oh don't get me wrong, I firmly believe that nearly anything can be hacked given enough time. I would be surprised if Knox is still an issue 6 months from now, I just don't think we'll see the RSA key signature for it any time soon. I'm hoping we'll just find a way to reset it, or at least stop it from being tripped in the first place. The good news is that it would appear to NOT be a hardware efuse of any kind, so keep those fingers crossed.
neoKushan said:
Oh don't get me wrong, I firmly believe that nearly anything can be hacked given enough time. I would be surprised if Knox is still an issue 6 months from now, I just don't think we'll see the RSA key signature for it any time soon. I'm hoping we'll just find a way to reset it, or at least stop it from being tripped in the first place. The good news is that it would appear to NOT be a hardware efuse of any kind, so keep those fingers crossed.
Click to expand...
Click to collapse
Yes, your belief is correct, the "enough time" is true, but...
To crack a 2048 bit key, with a traditional desktop (2.2ghz CPU), it would take roughly 1.5 million years. I am not sure how strong is the key that Samsung has, but it is going to be way out of our life expectancy to crack anything like that.
The development of quantum computer will reduce that into something that is very well manageable, but we are not anywhere close. And nature of quantum computing is that you will never get 100% correct answer. It will be the best guess (I am WAAAAAAAAAAY over-simplifying this), but still has a chance not to be 100% correct.
Long story short, unless it's a really crappy implementation, or you manage to get a hold of the private key, you ain't going anywhere. Sorry
Meanee said:
Yes, your belief is correct, the "enough time" is true, but...
To crack a 2048 bit key, with a traditional desktop (2.2ghz CPU), it would take roughly 1.5 million years. I am not sure how strong is the key that Samsung has, but it is going to be way out of our life expectancy to crack anything like that.
The development of quantum computer will reduce that into something that is very well manageable, but we are not anywhere close. And nature of quantum computing is that you will never get 100% correct answer. It will be the best guess (I am WAAAAAAAAAAY over-simplifying this), but still has a chance not to be 100% correct.
Long story short, unless it's a really crappy implementation, or you manage to get a hold of the private key, you ain't going anywhere. Sorry
Click to expand...
Click to collapse
Sorry, I know you're trying to be helpful, but I don't think you've read the whole of my post, or indeed the previous post I made on the subject (second post in this thread). There is also an important distinction between "hacking" something and just brute forcing something as well. By "hacking" RSA, I'm really talking about finding a weakness in the algorithm that either allows derivations of the key or much faster brute forcing. Still, a lot of research has gone into this and although RSA is beginning to be considered insecure, it's not quite utterly broken yet for large keys (2048bit and above), but large keys are too computationally intensive. That's assuming RSA is in play here, it could equally be ECC and in that case, we're definitely ****ed.
Meanee said:
Yes, your belief is correct, the "enough time" is true, but...
To crack a 2048 bit key, with a traditional desktop (2.2ghz CPU), it would take roughly 1.5 million years. I am not sure how strong is the key that Samsung has, but it is going to be way out of our life expectancy to crack anything like that.
The development of quantum computer will reduce that into something that is very well manageable, but we are not anywhere close. And nature of quantum computing is that you will never get 100% correct answer. It will be the best guess (I am WAAAAAAAAAAY over-simplifying this), but still has a chance not to be 100% correct.
Long story short, unless it's a really crappy implementation, or you manage to get a hold of the private key, you ain't going anywhere. Sorry
Click to expand...
Click to collapse
Tbh that's actually a very good example of explaining quantum computing - though unless anyone has 6 months exclusive access to a multi million/billion dollar quantum computer, I think you guys can pretty much rule out either a cracked code or a key being leaked, these private keys are literally the one thing a developer or OEM never, ever wants to be leaked as with it you can sign firmware + do untold mischief. I honestly wouldn't be at all surprised if only one or two Samsung employees have access to this key.
IMO your probably much better off with going down the usual exploit root of finding a security flaw and exploiting it.
Jonny said:
Tbh that's actually a very good example of explaining quantum computing - though unless anyone has 6 months exclusive access to a multi million/billion dollar quantum computer, I think you guys can pretty much rule out either a cracked code or a key being leaked, these private keys are literally the one thing a developer or OEM never, ever wants to be leaked as with it you can sign firmware + do untold mischief. I honestly wouldn't be at all surprised if only one or two Samsung employees have access to this key.
IMO your probably much better off with going down the usual exploit root of finding a security flaw and exploiting it.
Click to expand...
Click to collapse
Back closer to topic a little (though this is interesting!)... in the Knox white paper, Samsung states that it's possible to change the root key on the phone that establishes the whole downstream chain of trust (boot loader, kernel, ...). Apparently this is a legal/security requirement for certain government agencies, but whatever the reason, there is a protocol in place to get one's own root CA cert signed by Samsung and then have that installed at the root level of the phone. Samsung is pretty explicit in saying that this means you will need to roll all of the system software yourself, so I think they really do mean the key used at the lowest level we would care about.
I've idly thought of writing Samsung with complaints about how Knox interferes with some normal operation of the phone, and ask them to either sign a key I can use to install a development FW, or provide a properly signed dev FW, or at least provide a method for hooking and controlling the Knox/SEAndroid subsystem. I realize the likelihood of success is low, but could it really hurt to ask?
p