Hi,
While going around this forum, i saw a lot that people where claiming that an unlocked phone had it's data fully secure if it was encrypted. Is it actually the case ?
From what i understand, a phone isn't encrypted with your pin code / password. It first generates keys, encrypts the phone with them, and then cyphers these keys using your code. The keys are then stored in a special partition of the phone's memory.
(And thus, if the phone needs be wiped, either remotely or because of too many failed attempts, it just deletes this partition)
Normally, it would be impossible to brute force a lock screen, since the phone will prevent more than ~ 15 attempts. However, with an unlocked device, couldn't an attacker with sufficient knowledge of the hardware be able to use the ability to flash custom boot images / roms to access these keys, and brute force them, bypassing the lock screen ? A sufficiently powerful computer could be able to brute force a 4, 6 or even 10 digits AES key in hours, if not minutes.
So :
1) Is this correct, and how the android encryption works ?
2) if it is, is there any device specific protections to prevent that ?
3) is there any ways to counterbalance that threat with an unlocked device, other than setting a 10 characters password ?
Thank you.
Short answer:
If phone's bootloader is unlocked, someone could take your phone, flash a malicious ROM that contains keystroke loggers or something, and then return the phone to you and wait for you to type your PIN or decryption password. It'd be better to keep the bootloader locked whenever you don't actually need to flash things via Fastboot.
xXx yYy said:
It'd be better to keep the bootloader locked whenever you don't actually need to flash things via Fastboot.
Click to expand...
Click to collapse
I guess this wanders into device specificness, but, at least for my device, pixel 6a, i read that you should never re-lock a bootloader without a completely stock firmware / boot image. So, how can you protect your bootloader while keeping your phone rooted ?
What has a device's bootloader to do with device's Android OS ? Nothing!
xXx yYy said:
What has a device's bootloader to do with device's Android OS ? Nothing!
Click to expand...
Click to collapse
The lockability of the bootloader depends on the signing of the OS!?
you are right. do not lock bootloader on pixel devices. imagine device is fully stock and locked, now some OTA brick device and recovery mode not able to unbrick by sideloading full OTA image - this is nightmare. google's solution is to RMA device, they do not provide any flash tool other than fastboot or WebUSB flash tool (via adb lol)
on the other hand, encryption is secured against bruteforce by gatekeeper (in TEE). as long as your device is powered off your data remains encrypted, unless you decrypt with credentials (we won't talk about the .dismiss() bug on decrypted devices)
Related
Does android/S7 have anything equivalent to apples find my phone which effectively turns it into a brick when stolen? If so, how?
In the Google app settings there is a phone finding service you can activate, and some CSCs have "Find my mobile" which allows you to remote wipe / brick etc
but does this stop the device from being wiped if stolen and activating like apples activation lock does?
lofty5 said:
but does this stop the device from being wiped if stolen and activating like apples activation lock does?
Click to expand...
Click to collapse
Yes, provided you keep the bootloader locked.
EDIT: Technical term is FRP(Factory reset protection), and it's tied to the Google account used to set up the device
This is what i was thinking, that the boot loader has to be locked in order to do this. would keeping the phone rooted be an option or make it insecure?
Could i do this on a region that isn't my csc without bricking the phone? I'm pretty sure that as long as the source files are stock samsung any region should work. Can download mode be protected?
I'm currently backing up my device after which i am enabling all the security options and am going to try to hack into the phone to see if its worth doing or not. If it can be broken easily id rather keep it unprotected for convenience, but if i can protect the phone I'd rather do this as i lost my phone a couple of years ago and there was no protection on it at all nor on the sd card, which sucked.
bump
Root almost always requires a modified boot image which will immediately be blocked by a relocked bootloader. So root and FRP cannot coexist as they counteract each other. FRP itself is not CSC locked, only the remote control features. There are ways around it but they are mostly only present in older firmware, which is blocked by bootloader downgrade fuses. So yeah, pretty unbreakable if the device remains full Knox stock.
Hint: anything confidential should never be stored on the external card, or should be encrypted if it is (eg. Turn on encryption in titanium backup). Internal memory is always encrypted on stock firmware.
Edit: Download would work as usual. So basically what would happen is if a malicious firmware was flashed the bootloader will block it at boot and trip the Knox fuse, essentially burning all data on the device. If the crooks are smart they can still make use of the device, but most aren't so you should be safe
I'm using Cerberus, it can disable the shutdown/reboot menu on the lockscreen.
CurtisMJ said:
Root almost always requires a modified boot image which will immediately be blocked by a relocked bootloader. So root and FRP cannot coexist as they counteract each other. FRP itself is not CSC locked, only the remote control features. There are ways around it but they are mostly only present in older firmware, which is blocked by bootloader downgrade fuses. So yeah, pretty unbreakable if the device remains full Knox stock.
Hint: anything confidential should never be stored on the external card, or should be encrypted if it is (eg. Turn on encryption in titanium backup). Internal memory is always encrypted on stock firmware.
Edit: Download would work as usual. So basically what would happen is if a malicious firmware was flashed the bootloader will block it at boot and trip the Knox fuse, essentially burning all data on the device. If the crooks are smart they can still make use of the device, but most aren't so you should be safe
Click to expand...
Click to collapse
I had it rooted last night with magisk and boot loader locked, however it did refuse to boot due to modification and frp locked after a factory reset, but worked fine prior to this.
is it not worth doing if not fully knox stock?
I only really use root these days for titanium backup and perhaps ad blocking.
How difficult is it for a hacker to get back into the phone, I mean iPhones are practically impossible to get back into if on the latest firmware.
Blacky25 said:
I'm using Cerberus, it can disable the shutdown/reboot menu on the lockscreen.
Click to expand...
Click to collapse
is your boot loader locked and rooted?
lofty5 said:
is your boot loader locked and rooted?
Click to expand...
Click to collapse
Yes it is, I know it is also possible to delete everything but when I really loose my phone I will hope that people without the knowledge find my phone.
lofty5 said:
I had it rooted last night with magisk and boot loader locked, however it did refuse to boot due to modification and frp locked after a factory reset, but worked fine prior to this.
is it not worth doing if not fully knox stock?
I only really use root these days for titanium backup and perhaps ad blocking.
How difficult is it for a hacker to get back into the phone, I mean iPhones are practically impossible to get back into if on the latest firmware.
Click to expand...
Click to collapse
About as difficult as an iPhone to crack provided it's on latest firmware with a locked bootloader, even preventing reuse. FRP remains fully operational irregardless of Knox warranty status. It's possible to keep encryption while rooting (though this depends on strictly "close to stock" firmware, specifically by using a stock kernel binary. Ramdisk mods like Magisk or SuperSU are fine) to retain the data protection so thieves wont be able to deduce anything about you, but as long as the bootloader is unlocked a thief could always just wipe and reuse the device.
CurtisMJ said:
About as difficult as an iPhone to crack provided it's on latest firmware with a locked bootloader, even preventing reuse. FRP remains fully operational irregardless of Knox warranty status. It's possible to keep encryption while rooting (though this depends on strictly "close to stock" firmware, specifically by using a stock kernel binary. Ramdisk mods like Magisk or SuperSU are fine) to retain the data protection so thieves wont be able to deduce anything about you, but as long as the bootloader is unlocked a thief could always just wipe and reuse the device.
Click to expand...
Click to collapse
I am now back to full stock with no root. It’s not the same now as when i first started rooting back on the arc s, back then you could literally do nothing without it, things so basic such as a firewall. I only at this minute have one issue.
How in god’s name do you do a full backup of apps WITH data. I have helium but it refuses to backup most of them, it’s not a big deal now as i have re-setup the programs it wasn't compatible with. However, it would be handy to know for future reference, is there anything that can do a full backup with app data that doesn’t require root? If not, never mind I guess.
lofty5 said:
How in god’s name do you do a full backup of apps WITH data. I have helium but it refuses to backup most of them, it’s not a big deal now as i have re-setup the programs it wasn't compatible with. However, it would be handy to know for future reference, is there anything that can do a full backup with app data that doesn’t require root? If not, never mind I guess.
Click to expand...
Click to collapse
Not quite sure as I've always been rooted. Kies or Google Cloud Sync might be sufficient?
CurtisMJ said:
Not quite sure as I've always been rooted. Kies or Google Cloud Sync might be sufficient?
Click to expand...
Click to collapse
is the latest s7 fw protected against this attack?
https://forum.xda-developers.com/sa...galaxy-on5-metropcs-sm-g550t1-t3439557/page13
and root junkies hack?
lofty5 said:
is the latest s7 fw protected against this attack?
https://forum.xda-developers.com/sa...galaxy-on5-metropcs-sm-g550t1-t3439557/page13
and root junkies hack?
Click to expand...
Click to collapse
Only one way to find out An easy way to test would be to see if the phone responds to the USB command to dial the number, so no need to reset to check.
I just unlocked the bootloader to install twrp and maybe magisk i wanted to also try the Android P dev preview. but i know having a unlocked bootloader is a security risk also your get that warnign message at boot which makes booting up longer,is there a way to lock and unlock without losing data if im root.
Unlocking and locking wipes all data by design.
Telperion said:
Unlocking and locking wipes all data by design.
Click to expand...
Click to collapse
Is there a way to make the device secure with it having a unlocked bootloader?
With an unlocked bootloader, anyone can install a factory image, which wipes all your locks and your google account (and, therefore, defeats FRP), which is what makes it insecure. The only way to avoid that is to have a locked bootloader (and USB debugging off). (And I've seen reports here that unlocking the bootloader, installing TWRP and Magisk, then locking the bootloader, results in a hard brick (meaning buying another phone, because Google won't replace it)
Run with the unlocked booloader, don't ever leave the phone off your person and have "insurance" that replaces stolen (and possibly lost) phones.
XDA today published an article about a vulnerability in the OnePlus 6 bootloader that allows the booting of a custom boot.img image without unlocking the bootloader. This is of course a huge security risk but I'm sure OnePlus will patch it in an upcoming update. In the mean time, let's have some fun!
Back in the good old days of the Nexus 4, it was possible to install an app that would write boot config data to the device from userland, with root, to toggle the bootloader between the locked and unlocked states. The object of this post? Do this as a community for the OnePlus 6!
Why do this?
There are two major gains to being able to do this:
Security: once a device is rooted we'd be able to re-lock the bootloader to prevent tampering or unauthorised images from being booted whilst keeping the perks of being rooted
Netflix HD: Widevine L1 keys aren't accessible when the Bootloader is unlocked. This way, we may be able to get our Widevine keys accessible again to get HD Netflix with root
I attempted to reverse some of the bootloader on my own a few weeks back but didn't have much luck. With this vulnerability, my thoughts are that we could dump the data partitions with a locked device (that is exploited using this trick) and compare them with an unlocked device. This might give us the magic data that the bootloader uses to determine whether a device is locked or unlocked. Then, in theory, we should be able to toggle this data from userland. The only caveat to this is that I don't know whether the unlock state is stored somewhere in the TrustZone or if it is written to the flash like they did back in the Nexus days.
I honestly have no idea whether this will work, but surely it's worth a shot? Just for reference, I recommend we look at diffing following partitions before and after locking:
param
sec
sti
ssd
frp
config
misc
We should also, to ensure there is no confusion, stick to OOS 5.1.5 stock + Magisk for root. Images of the above partitions can be obtained using dd.
If anybody has any further tips on bootloaders that either proves that this won't work, or perhaps can suggest other places this lock data could be stored, please do let me know!
NB: getting this data will involve at least one full data wipe of the phone so it might take time to dump the data, switch lock state then dump it again.
I also strongly suspect that we might hit the issue of Android Verified Boot noticing that the device is locked (but has a modified boot image when rooted). This would depend on whether the Android security checks are implemented as per the Android Verified Boot specification.
Who's in?
Couldn't you just hide Netflix HD from root detection in Magisk?
dgunn said:
Couldn't you just hide Netflix HD from root detection in Magisk?
Click to expand...
Click to collapse
No. With an unlocked bootloader the device is switched to Widevine level 3 instead of level 1. This means no HD playback in Netflix (and I believe Amazon) regardless of Magisk hide status. This may be the new normal for all unlocked devices with the Qualcomm SD 845 or newer.
blackthund3r;76765953[* said:
Security: once a device is rooted we'd be able to re-lock the bootloader to prevent tampering or unauthorised images from being booted whilst keeping the perks of being rooted
Click to expand...
Click to collapse
Are you sure about this? On Nexus 4 days Android didn't check at boot that all partitions were correct in order to boot, since some version ago it does (DM-verity). Are you sure you can re-lock the phone with root (system or boot modified) and still boot normally to userspace?
RusherDude said:
Are you sure about this? On Nexus 4 days Android didn't check at boot that all partitions were correct in order to boot, since some version ago it does (DM-verity). Are you sure you can re-lock the phone with root (system or boot modified) and still boot normally to userspace?
Click to expand...
Click to collapse
Well, I can confirm that with SafetyNet test passing, and Magisk hide enabled for Netflix, I can not get HD streaming.
This is highly interesting. I will be following that threat constantly. Thanks for opening that discussion.
So does this vulnerability allow flashing or booting of TWRP through fastboot without unlocking the bootloader. I am interested in keeping Netflix HD and gaining root access, but don't want to brick the device. I know that under normal circumstances you always unlock the bootloader before flashing any mods, but was curious of some devs thoughts on it.
Interesting read. You can root the device without unlocked bootloader
https://www.androidcentral.com/oneplus-6-bootloader-vulnerability-lets-anyone-access-your-phone?amp
the question is can we keep opened this feature and force to be opened.
Unfortunately oneplus bootloader doesn‘t support EIO mode,so it can't be boot if anything modified.
akaHardison said:
Unfortunately oneplus bootloader doesn‘t support EIO mode,so it can't be boot if anything modified.
Click to expand...
Click to collapse
Not true booted a magisk patched boot image and installed some modules
Is there Maby another methode to root hold safety net for widevine lv3
---------- Post added at 06:28 PM ---------- Previous post was at 06:23 PM ----------
joemossjr said:
Not true booted a magisk patched boot image and installed some modules
Click to expand...
Click to collapse
And did you also installed magisk to the boot img?!
Widevine L1 + V4A would make me very happy. Perhaps we should add a financial incentive like a bug bounty? I would certainly contribute some loot for this noble cause!
Since some people with OP5s and OP5Ts sent there phone to OP for L1 with the bootloader unlocked, I wonder if OP would consider offering a similar service. Even if it wasn't completely free I would probably do it unless it required re-locking the bootloader...
Upto this point, what I understand is that the OEMs hold keys that they use to sign the binaries as trusted such that only what they sign will be accepted and rest others will be rejected. Well, some devices I see can simply unlock using fastboot flashing unlock command when OEM Unlocking option is turned on in developers mode, however, some devices such as the ones from Xiaomi require their own special software to unlock the bootloader which they say is to prevent attackers from stealing the phone data. Well, one can easily flash firmware from Xiaomi without unlocking the bootloader. How do they do that? Does their proprietay software use some kind of keys that sign the firmware files? If so, do you know if it would be possible to replace the keys they use to sign.
Android's user data at any time can get stolen by hackers: here it doesn't matter whether device's bootloader is locked or unlocked.
Most of the Android devices comes to the market with a locked bootloader. Locking the bootloader is actually a kind of encryption of the Android system files. OEMs / carriers do so to keep the OS unaltered by the users. And this for good reasons, IMO. One have to respect
that their devices will be restricted to running software ROMs provided only by them.
To re-flash a phone's Stock ROM phone's bootloader must not be unlocked, because the OS is the original one , means not altered in any way by user.
I see that I can add user-settable root of trust to the bootloader so I can set custom secure boot keys like PCs at https://source.android.com/docs/security/features/verifiedboot/device-state , so I think I can use a user modified init_boot image (including the magisk patched one) by signing it with my own keypair.
Also, I know that some manufacturers require 7 days for new devices to be unlocked (like Xiaomi) or do not allow user unlock at all. However, authorized repairers can flash signed factory system images without unlocking it. I guess it is implemented by internal (read-only) root of trust. But can I do this with user-settable root of trust part so I can become authorized repairer to my own device?
P.S. I am using a bootloader-unlocked Pixel 4 XL as my major phone now. I have bought a Pixel 7 Pro but not yet switched to it. I am looking for a method to take both security and scalability into account.
Good and interesting question, sadly I don't have a definitive answer to it - but a few thoughts:
As to your own keypair: I would think that the bootloader checks for integrity and you would need to patch bootloader as well to accept a user-key - not sure if this is feasible.....
AFAIK for Xiaomi devices the authorized repairers use EDL mode with a separate authentification - EDL-mode is (IMO) a separate very low-level boot mode.... I don't think this is related to the "normal" boot mechanism and its keys.....
Is there any specific reason you are aiming for a re-locked bootloader ? The only aspect I could think about is some specific apps that can detect an unlocked bootloader and refuse to function.... from a pure security standpoint I don't see a benefit from re-locking a modified device, at least until you really (!) know all modifications that have been done in low-level detail.....
s3axel said:
Good and interesting question, sadly I don't have a definitive answer to it - but a few thoughts:
As to your own keypair: I would think that the bootloader checks for integrity and you would need to patch bootloader as well to accept a user-key - not sure if this is feasible.....
AFAIK for Xiaomi devices the authorized repairers use EDL mode with a separate authentification - EDL-mode is (IMO) a separate very low-level boot mode.... I don't think this is related to the "normal" boot mechanism and its keys.....
Is there any specific reason you are aiming for a re-locked bootloader ? The only aspect I could think about is some specific apps that can detect an unlocked bootloader and refuse to function.... from a pure security standpoint I don't see a benefit from re-locking a modified device, at least until you really (!) know all modifications that have been done in low-level detail.....
Click to expand...
Click to collapse
The reason why I am aiming for a re-locked bootloader is that everyone can flash a modified image at bootloader. An evil maid or cop may be able to flash a trojan boot image when I am not with my phone.