Possible backdoor loader?
- Thread starter worldestroyer
- Start date
I think the biggest goal here is exactly what you said, cracking the flash process so we can put our OWN android on it (not googles locked down version). I also think that even though it is open source, we havent gotten into it yet, right? That is where the fun is at, doing something that so far seems undoable. I know new phones come out all the time and ppl say "oooh, they put this super cool new uncrackable bootloader on it" and at the same time someone is uploading a method to crack it. When I finally get my g1 (or g2 lol) I want to be able to do whatever I want on it. I want root (not always, but when I want it, I should be able to get it) and I want to be able to run most of the linux commands that were included (busybox type crap, but better than nothing) if I want to. This is the fun of Android (and linux), more power and more use. Google has kept those from us and instead gave us merely the stability of linux.
yea but remember. When they ususally talk about uncrackable bootloaders they are talking about Windows security... and we all know Windows and secure don't mix LOL that is why all the servers around here use *nix
Yeah sadly enough I'm pretty sure it was T-Mobile who forced Google to not allow root access. You know how all the stupid cell companies are about "fearing" that bad software will take them down. GOD they're stupid!
Anyway... Talkin about bootloaders. Anyone know how other bootloader on other HTC devices are writen?
By that I mean, RUU updates updates the ROM but not the bootloader. I have found some methods on upgrading bootloaders but again use RUU. I can't find (I've searched, but not entirely through) exactly how they write to it.
Also, I don't have a serial connector on my laptop and I would love to try a USB to Serial connector to see if we can communicate in bootloader mode and modify it in that maner.
If anyone has a bit more information on that or a link, I would be much apreciative.
Anyway... Talkin about bootloaders. Anyone know how other bootloader on other HTC devices are writen?
By that I mean, RUU updates updates the ROM but not the bootloader. I have found some methods on upgrading bootloaders but again use RUU. I can't find (I've searched, but not entirely through) exactly how they write to it.
Also, I don't have a serial connector on my laptop and I would love to try a USB to Serial connector to see if we can communicate in bootloader mode and modify it in that maner.
If anyone has a bit more information on that or a link, I would be much apreciative.
the boot.img contains two gzip's and some small arm code to extract them.
the radio.img is just like any other qualcomm radio, same partitions. signed in the same way as other htc's
as for update.zip, the person who said we need private key was correct - either that or exploit somehow, which isn't easy. the public key is either in recovery image or in the rsa file, I didn't look yet.
oh, and third option is replace recovery image or the htc spl in flash with patched one, but you will want root access and a lot more to do that.
Last edited:
Sorry for possible ignorance, I've just stumbled upon this thread and haven't read all fifteen pages of it. However -- what do you think you need the private key for? You should be able to resign the .zip using the Jar Signer (as that is what it is originally set up with).
Though your right we need to figure out exactly what the img files contain and find a way to patch them for root acces!
How were you able to do this? Instructions or a link to instructions will apreciated.
This is true. However we still don't know how to activate that recovery funtion yet.
In the recovery console, the first thing it tries to do is load instructions (I'm assming) from sdcard:/cache/recovery/command. We need to know if it just needs instructions or what.
When you power on you phone holding the camera button, the bootloader looks for an image. Don't know where though.
Thats the Thing with PKey and Private Key and it Impossible to crack unless the Boot loader is not checking for Signing Authority.
Please Understand Signing a File and Encrypting the File is Different thing we have G1 Update.zip as Normal Zip file but The moment we change any byte in Zip Store the Checking gets failed. if G1 Boot loader is really not checking Signer and only rely on Signed Object then whosmever may have signed that we got the Solution but i don't either HTC or Google is that foolish to do that.
We must have to look at G1 Source code for Details.
I think what cmonex and Olipro does is better. Get Source code of Boot loader Recompile it with disabled Signed Object logic. Load the Boot Loader into Memory and that Jump to that Location. here Root access to Device is Necessary, once we are Successful to run Patched Boot loader from Memory Flashing Customized Image may not be a Problem. I know that in Windows there is no Security at all so doing same thing in Much Protected OS like Android will be Difficult.
Please Understand Signing a File and Encrypting the File is Different thing we have G1 Update.zip as Normal Zip file but The moment we change any byte in Zip Store the Checking gets failed. if G1 Boot loader is really not checking Signer and only rely on Signed Object then whosmever may have signed that we got the Solution but i don't either HTC or Google is that foolish to do that.
We must have to look at G1 Source code for Details.
I think what cmonex and Olipro does is better. Get Source code of Boot loader Recompile it with disabled Signed Object logic. Load the Boot Loader into Memory and that Jump to that Location. here Root access to Device is Necessary, once we are Successful to run Patched Boot loader from Memory Flashing Customized Image may not be a Problem. I know that in Windows there is no Security at all so doing same thing in Much Protected OS like Android will be Difficult.
Last edited:
How were you able to do this? Instructions or a link to instructions will apreciated.
good ol' plain hexeditor and experience with gzip format.
search for 1F 8B 08, you will find it twice, that's the start of the gzip headers, end is about where you see a lot of zeros. to be more precise a gzipped file ends in 8 bytes, 4 checksum and last 4 are the uncompressed filesize.
so, cut the files and then name them filename.gz, and extract.
btw you can recompile recovery from the source code, but i don't know yet how usable that is in reality.
how to activate recovery function? pretty well known, after holding home and some other key, I don't remember (don't have a G1) but do some search on it
the tricolour bootloader is probably using a lot of HTC spl code... I'd really like to get my hands on a Dream (not another device's
) hboot.img which is the bootloader file.what do you think this jar signer thing uses to sign it? not magic.
the public key must go with the right private key. check out wikipedia for how RSA works
way to figure out what img contains? well most of the code is opensource, except of course the htc bootloader (the hboot) and the radio
I think we need to focus our efforts on these files and this site
http://git.source.android.com/
And here HTC has released some things
http://git.source.android.com/?p=platform/vendor/htc/dream.git;a=summary
Searching around I found a bootloader... but it says legacy... maybe it is the older version http://git.source.android.com/?p=platform/bootloader/legacy.git;a=summary
http://git.source.android.com/
And here HTC has released some things
http://git.source.android.com/?p=platform/vendor/htc/dream.git;a=summary
Searching around I found a bootloader... but it says legacy... maybe it is the older version http://git.source.android.com/?p=platform/bootloader/legacy.git;a=summary
Last edited:
Possible backdoor loader
Not sure if this helps.
http://www.android-unleashed.com/2008/11/howto-get-root-on-your-android-g1-and.html
Grab pTerminal from the market, reboot your phone, open pterminal quickly, cd to /system/bin/
then enter telnetd 2 or 3 times, then type telnet "your phone ip"
Take a look:
kyle@ion:~$ telnet 192.168.0.88
Trying 192.168.0.88...
Connected to 192.168.0.88.
Escape character is '^]'.
# id
uid=0(root) gid=0(root)
# cd proc
# cat version
Linux version 2.6.25-01843-gfea26b0 (android-build@apa27.mtv.corp.google.com) (gcc version 4.2.1) #6 PREEMPT Mon Oct 6 14:13:36 PDT 2008
Not sure if this helps.
http://www.android-unleashed.com/2008/11/howto-get-root-on-your-android-g1-and.html
Grab pTerminal from the market, reboot your phone, open pterminal quickly, cd to /system/bin/
then enter telnetd 2 or 3 times, then type telnet "your phone ip"
Take a look:
kyle@ion:~$ telnet 192.168.0.88
Trying 192.168.0.88...
Connected to 192.168.0.88.
Escape character is '^]'.
# id
uid=0(root) gid=0(root)
# cd proc
# cat version
Linux version 2.6.25-01843-gfea26b0 (android-build@apa27.mtv.corp.google.com) (gcc version 4.2.1) #6 PREEMPT Mon Oct 6 14:13:36 PDT 2008
This is what i found in following Source Code of Boot loader
http://git.source.android.com/?p=pl...8;hb=4205b865141ff2e255fe1d3bd16de18e217ef06a
http://git.source.android.com/?p=pl...8;hb=4205b865141ff2e255fe1d3bd16de18e217ef06a
Code:
43 #if REQUIRE_SIGNATURE
44 unsigned key_engineering[2 + 64 + 64] = {
45 64,0x5b022317,-60769447,648742897,-13657530,585562035,591851935,
46 454860199,-1809625305,1868200692,-155297008,-1688439840,-1333607631,
47 -483027189,-2051438457,1030069735,819944365,2133377257,-1978924214,
48 2109678622,1974978919,-1811463608,765849268,1984092281,921245328,
49 -1055062768,1487475997,1209618652,871985152,-611178965,-2057018571,
50 335641539,-1196119550,1550548229,-356223887,1909799623,1281016007,
51 957001635,1005656532,-1027634024,-1576447610,-1917246637,589192795,
52 -1137386186,-1958135372,1933245070,64958951,-1820428322,-1577697840,
53 1824253519,555306239,-1588272058,-1925773018,1205934271,-836584444,
54 -1140961670,-185198349,1293769947,37045923,1516796974,-297288651,
55 651582073,-1337054592,-543971216,-1706823885,-1040652818,-594113104,
56 260093481,-1277656496,56493468,1577037283,773995876,244894933,
57 -2075797967,783894843,880611008,-1433369702,380946504,-2081431477,
58 1377832804,2089455451,-410001201,1245307237,-1228170341,-2062569137,
59 -1327614308,-1671042654,1242248660,-418803721,40890010,-1806767460,
60 -1468529145,-1058158532,1243817302,-527795003,175453645,-210650325,
61 -827053868,-571422860,886300657,2129677324,846504590,-1413102805,
62 -1287448511,-1991140134,56194155,1375685594,-129884114,1393568535,
63 -1098719620,-935279550,1717137954,-1782544741,272581921,-669183778,
64 584824755,1434974827,-1122387971,-810584927,-2147338547,-937541680,
65 -313561073,5506366,-1594059648,-1744451574,1896015834,1496367069,
66 1742853908,508461291,1905056764
67 };
68 #endifhelp
mine says E:Failure at Line 1:
assert getprop...etc
Thats exactly what I am doing
Im going to try with another microsd card I have.
And yes, I have verified that the file is correct. It has the same md5 sum was posted earlier and I have redownloaded it twice.
mine says E:Failure at Line 1:
assert getprop...etc
Similar threads
- Locked
