Fastboot Unlocked?

gdeeble · 27th June 2012, 07:17 AM

Rzrbck, how so, if it could be retrieved from the phone? Maybe I'm not understanding, but if we had that bootloader is it not like the normal S model with full permissions to the phone?

dewhashish · 27th June 2012, 02:47 PM

what makes it an engineering model? are the physical components the same, or is it a software setting that if we changed could unlock the phone?

niai_mack · 27th June 2012, 09:49 PM

would it be possible via hardware to dump an SE bootloader, and flash it to a S devic? I would be willing to give this a go if its possible.

rightonred · 07:19 AM

if we could get the bootloader images off that phone an unlock for the Droid 4 might be possible. Assuming, of course that both the S and the SE model use the same keys.

mxgoldman · 28th June 2012, 07:46 AM

Tell me what I can do to help.

rightonred · 06:23 PM

I wish I knew what to do, but in the mean time, here's some literature on how the lock works (it's for the milestone, but the d4 might use the same infrastructure).

The bootchain:
http://www.droid-developers.org/wiki/Booting_chain
The mbmloader: this loads the bootloader, if this is replaced with a version that doesn't check signatures, the bootloader can be permanently replaced:
http://www.droid-developers.org/wiki/Mbmloader
The mbm (bootloader) does it's own signature check of the kernel before booting it.

If either the key burned into the phone's fuse, or the key the mbmloader uses to check the mbm are the same on both devices, one or both of those partitions can be flashed with with the unlocked version. If they're both different, this is a dead end.

The only other option after this (aside from espionage)would be to crack the signature system directly by either creating an unlocked version of the bootloader and patching it in a way that it generates the same hash, or discover a new way to factorize large (2048 bit) numbers, and reverse engineer motorola's private signing key. (If you were to discover this factoring method, nearly every security company would have to retool.)

edit: careful updating your phone, an OTA can relock your phone. The more I read, it seems less likely that the bootloader is encrypted. Dumps should be made, but this is going to require someone with greater knowledge than I.

dewhashish · 28th June 2012, 09:07 PM

how would we go about doing this?

rightonred · 28th June 2012, 09:50 PM

Quote:

Originally Posted by dewhashish

how would we go about doing this?

It seems like you load a special kernel module to unhide the bootloader partitions then simply use the dd command to make an image copy onto the sdcard.

iow, we need a dev.