[WORK IN PROGRESS] Unlocking Motorola Defy Mini XT320 and Fire XT530 bootloader

Search This thread
By:
Advanced…
rootdefyxt320

rootdefyxt320

Senior Member
Oct 4, 2012
488
440
Sydney, NSW
I've recently read on how Dan Rosenberg unlocked the bootloader on Motorola Phones with Qualcomm chipsets. I'm pretty sure this exploit exists in the Motorola Fire XT530 and Motorola Defy Mini XT320.
http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

Chipset Specification:
Motorola Fire XT530- Qualcomm MSM7227-T, 800MHz ARM11, Adreno 200 GPU
Motorola Defy Mini XT320- Qualcomm MSM7225A-1, 600MHz ARM Cortex-A5, Adreno 200 enhanced GPU

I have decided to combine the unlocking of Motorola Fire XT530 and Motorola Defy Mini XT320 bootloaders in one place as there are more experienced developers in C++ in Motorola Fire XT530 users than the Defy Mini XT320 users so we can help each other.

I've done the initial work of dumping appsbootsec.mbn from the Motorola Fire XT530 sbf and the Motorola Defy Mini XT320 sbf.
Now it requires the work of using Interactive Disassembler to locate the QFuse addresses but unfortunately I don't know how to use it so I can't disassemble appsbootsec.mbn
@djrbliss if you have time to read this thread and help us users to try and use Interactive Disassembler, this would be greatly appreciated.

Here's the link to the memory addresses for Motorola Defy Mini XT320:
http://www.droidevelopers.com/f412/13117-defy-mini-xt320-tinboost-memory-map.html

The sbf files that I've used to extract appsbootsec.mbn:
Motorola Fire XT530: DMP-4480-0-4017-A01_RFM.sbf
Motorola Defy Mini XT320: TNBST_4_0A.1F.10RPS_flex_WE_Retail_CEE_v2.sbf

All these sbf files have fastboot support.

At the bottom, I have attached appsbootsec.mbn from the prerequisite phones.

Guys please don't ask for an ETA or when the bootloader is going to be unlocked as this depends on time.
@Bernd.Defy I've uploaded the rest of the Bootloader Files, would you please take a view of it using a hex viewer thanks.
 
Last edited:
  • Like
Reactions: baeru23, s27moto, GentryLamp and 10 others
B

Bernd.Defy

Senior Member
Feb 1, 2013
82
46
Hmmm... watched the mbns - i see no messages like mentiond in the blogpost. Also the string "get_unlock_data" is not found.

So I think the method posted in the blog only works on phones with the option to unlock the bootloader via some token, as the hack hooks into the function to check the validity of the token and then always returns true.

Maybe i'm wrong (hope so).

Regards,
Bernd
 
  • Like
Reactions: rootdefyxt320
rootdefyxt320

rootdefyxt320

Senior Member
Oct 4, 2012
488
440
Sydney, NSW
Bernd.Defy said:
Hmmm... watched the mbns - i see no messages like mentiond in the blogpost. Also the string "get_unlock_data" is not found.

So I think the method posted in the blog only works on phones with the option to unlock the bootloader via some token, as the hack hooks into the function to check the validity of the token and then always returns true.

Maybe i'm wrong (hope so).

Regards,
Bernd
Click to expand...
Click to collapse

Did you use the interactive disassembler to open appsbootsec.mbn? I was wondering what program you used to view appsbootsec.mbn
 
  • Like
Reactions: s27moto
Guitwo2

Guitwo2

Senior Member
Jul 17, 2012
285
75
Marseille
rootdefyxt320 said:
He's been busy studying for his PhD these days so he doesn't have time. He will help us after he gets his PhD. :)
Click to expand...
Click to collapse

e65.gif
 
  • Like
Reactions: inyong1 and diskodasa
D

dmddmd

Member
Jun 29, 2012
13
3
some ideas for custom kernel/recovery

Hi all!

After some digging in xt320's bootloader binary, i found out that our phone uses (L)ittle (K)ernel bootloader (aka LK bootloader). And after some googleing i found 2 vulnerabilities for this bootloader that i believe still exists in our defy minis (defy mini is pre-2014 phone).

first one is this one
(CVE-2014-0973)
h**ps://www.codeaurora.org/projects/security-advisories/incomplete-signature-parsing-during-boot-image-authentication-leads-to-signature-forgery-cve-2014-0973

it's not a bootloader unlock, but it is about boot/recovery image signature forge (signing boot/kernel/receovery image so bootloader accepts it). it's already used on Kindle Fire HDX and there is a tool that signs boot and recovery image for Kindle Fire HDX. h**p://www.xda-developers.com/signing-tool-for-kindle-fire-hdx-hacks-bootloader/

Also, there is one more exploit, but i didn't find many information on it - CVE-2014-0974
h**p://www.cvedetails.com/cve/CVE-2014-0974/
if i understand correctly, when bootloader loads image header into RAM to verify signature, it can be manipulated to load into bootloader's memory where motorola certificate/signature is located and overwrite it so it appears to bootloader that boot image signature and bootloaders "new" signature are correct.

With these exploits there is no need to unlock bootloader to have custom kernel and recovery flashed on phone.
If anyone has knowledge and time to investigate this, it would be very nice..i think the first way of forging signature is easyer and the tool they made for kindle fire is easily adapted to sign defy mini's images.
 
  • Like
Reactions: rootdefyxt320 and Magissia
D

dmddmd

Member
Jun 29, 2012
13
3
small update:
finally got some time to test application from this link - cuber - h**ps://github.com/dpeddi/Cuber on @rootdefyxt320 's kernel..after signing the boot.img, it can be succesfully flashed with fastboot, but it ends in brick (recoverable with rsd-lite)...
 
  • Like
Reactions: rootdefyxt320
You must log in or register to reply here.

Similar threads

aweosomeabhijeet
  • Poll
[DISCONTINUED][ROM] Ice_Cream_Jelly for XT530
Replies
911
Views
229K
nishchay25
nishchay25
AlkaDragos
[TUTORIAL] Unlock Samsung [GT-S5570 / i5500 / Galaxy Ace]
Replies
328
Views
652K
T
TonganBoii
superdragonpt
[RECOVERYs] [ROMs] [UNLOCK BL] ASUS Memo Pad HD 7 (me173x) [MT8125] [MULTILANG]
Replies
2K
Views
1M
D
davidsummers
enox.co
[MOD]Motorola Motoluxe XT615 MotoRoX ROM & Jelly Bean 4.2 theme by enox [13.02.2013]
Replies
212
Views
224K
R
Rom Expertzzz25
bucefal82
Cyanogenmod for mediatek devices
Replies
7K
Views
2M
flux_capacitor
flux_capacitor

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 13
    rootdefyxt320
    rootdefyxt320
    I've recently read on how Dan Rosenberg unlocked the bootloader on Motorola Phones with Qualcomm chipsets. I'm pretty sure this exploit exists in the Motorola Fire XT530 and Motorola Defy Mini XT320.
    http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

    Chipset Specification:
    Motorola Fire XT530- Qualcomm MSM7227-T, 800MHz ARM11, Adreno 200 GPU
    Motorola Defy Mini XT320- Qualcomm MSM7225A-1, 600MHz ARM Cortex-A5, Adreno 200 enhanced GPU

    I have decided to combine the unlocking of Motorola Fire XT530 and Motorola Defy Mini XT320 bootloaders in one place as there are more experienced developers in C++ in Motorola Fire XT530 users than the Defy Mini XT320 users so we can help each other.

    I've done the initial work of dumping appsbootsec.mbn from the Motorola Fire XT530 sbf and the Motorola Defy Mini XT320 sbf.
    Now it requires the work of using Interactive Disassembler to locate the QFuse addresses but unfortunately I don't know how to use it so I can't disassemble appsbootsec.mbn
    @djrbliss if you have time to read this thread and help us users to try and use Interactive Disassembler, this would be greatly appreciated.

    Here's the link to the memory addresses for Motorola Defy Mini XT320:
    http://www.droidevelopers.com/f412/13117-defy-mini-xt320-tinboost-memory-map.html

    The sbf files that I've used to extract appsbootsec.mbn:
    Motorola Fire XT530: DMP-4480-0-4017-A01_RFM.sbf
    Motorola Defy Mini XT320: TNBST_4_0A.1F.10RPS_flex_WE_Retail_CEE_v2.sbf

    All these sbf files have fastboot support.

    At the bottom, I have attached appsbootsec.mbn from the prerequisite phones.

    Guys please don't ask for an ETA or when the bootloader is going to be unlocked as this depends on time.
    @Bernd.Defy I've uploaded the rest of the Bootloader Files, would you please take a view of it using a hex viewer thanks.
    View
    2
    D
    dmddmd
    some ideas for custom kernel/recovery

    Hi all!

    After some digging in xt320's bootloader binary, i found out that our phone uses (L)ittle (K)ernel bootloader (aka LK bootloader). And after some googleing i found 2 vulnerabilities for this bootloader that i believe still exists in our defy minis (defy mini is pre-2014 phone).

    first one is this one
    (CVE-2014-0973)
    h**ps://www.codeaurora.org/projects/security-advisories/incomplete-signature-parsing-during-boot-image-authentication-leads-to-signature-forgery-cve-2014-0973

    it's not a bootloader unlock, but it is about boot/recovery image signature forge (signing boot/kernel/receovery image so bootloader accepts it). it's already used on Kindle Fire HDX and there is a tool that signs boot and recovery image for Kindle Fire HDX. h**p://www.xda-developers.com/signing-tool-for-kindle-fire-hdx-hacks-bootloader/

    Also, there is one more exploit, but i didn't find many information on it - CVE-2014-0974
    h**p://www.cvedetails.com/cve/CVE-2014-0974/
    if i understand correctly, when bootloader loads image header into RAM to verify signature, it can be manipulated to load into bootloader's memory where motorola certificate/signature is located and overwrite it so it appears to bootloader that boot image signature and bootloaders "new" signature are correct.

    With these exploits there is no need to unlock bootloader to have custom kernel and recovery flashed on phone.
    If anyone has knowledge and time to investigate this, it would be very nice..i think the first way of forging signature is easyer and the tool they made for kindle fire is easily adapted to sign defy mini's images.
    View
    2
    Guitwo2
    Guitwo2
    rootdefyxt320 said:
    He's been busy studying for his PhD these days so he doesn't have time. He will help us after he gets his PhD. :)
    Click to expand...
    Click to collapse

    e65.gif
    View
    1
    rkubica91
    rkubica91
    Great! Hope it will work.. :good:
    View
    1
    D
    dmddmd
    small update:
    finally got some time to test application from this link - cuber - h**ps://github.com/dpeddi/Cuber on @rootdefyxt320 's kernel..after signing the boot.img, it can be succesfully flashed with fastboot, but it ends in brick (recoverable with rsd-lite)...
    View

New posts