Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,804,462 Members 42,204 Now Online
XDA Developers Android and Mobile Development Forum

R800X Bootloader CRACKED!

Tip us?
 
ashergray
Old
(Last edited by ashergray; 13th September 2011 at 05:32 PM.) Reason: update
#1  
Senior Member - OP
Thanks Meter 65
Posts: 129
Join Date: Jul 2011
Location: Rock Hill SC

 
DONATE TO ME
Default R800X Bootloader CRACKED!

BOOTLOADER CRACKED!




EDIT:After discussing it with Mills and Blagus, I will not be publicly sharing my knowledge on how to crack the boot loader. This is only temporary until we(all r800x owners) can get a more permanent solution.
maybe another week or so before anything is solid.


UPDATE:
there is no longer a free solution for unlocking the play.
please contact blagus or yifanlu to see if they have your meid on file.
and check out the current paid solution. :/






I have attached screenshots as proof of root
Attached Thumbnails
Click image for larger version

Name:	cracked.jpg
Views:	5057
Size:	52.9 KB
ID:	676553   Click image for larger version

Name:	screenshot_2.jpg
Views:	3301
Size:	21.2 KB
ID:	676619   Click image for larger version

Name:	screenshot_1.jpg
Views:	2465
Size:	17.7 KB
ID:	676620   Click image for larger version

Name:	screenshot_3.jpg
Views:	2900
Size:	29.0 KB
ID:	676621   Click image for larger version

Name:	screenshot.jpg
Views:	2581
Size:	32.2 KB
ID:	676622  

The Following 27 Users Say Thank You to ashergray For This Useful Post: [ Click to Expand ]
 
Blagus
Old
#2  
Blagus's Avatar
Recognized Developer
Thanks Meter 1,047
Posts: 1,239
Join Date: Jun 2010

 
DONATE TO ME
If you have already specified charset manually then why set --hex-charset again?

Sent from my R800i using XDA App
 
Mills00013
Old
#3  
Senior Member
Thanks Meter 128
Posts: 572
Join Date: Oct 2007

 
DONATE TO ME
Isn't this attack better served by simply generating a full list of values using CUDA and then comparing them to the RCK_H CODE Key we have? Then once we figure out which one matches, we will know what 16 character code generated it. If we can find a few matches for a few devices then we will be able to probably figure out the algorithm.
 
ashergray
Old
#4  
Senior Member - OP
Thanks Meter 65
Posts: 129
Join Date: Jul 2011
Location: Rock Hill SC

 
DONATE TO ME
Quote:
Originally Posted by Blagus View Post
If you have already specified charset manually then why set --hex-charset again?

Sent from my R800i using XDA App
because when you specify hex charset it sends the information as the hex it represents rather than the string of characters. it does make a difference here.
ABCDEF1234567890 Hashed as HEX
Code:
eb5f4f42e353764daad987ef5b3a5df79339b021f08e90b1f00e1e7a79b15972
versus submitting it as text
ABCDEF1234567890 hashed as text
Code:
2b749913055289cb3a5c602a17196b5437dc59bba50e986ea449012a303f7201
its subtle, but its a big change in the hashing process.
if you hash the unlock code as text you get something completely different than if you were to submit it as the HEX it represents, which is what our RCK_H code is.
The Following User Says Thank You to ashergray For This Useful Post: [ Click to Expand ]
 
ashergray
Old
#5  
Senior Member - OP
Thanks Meter 65
Posts: 129
Join Date: Jul 2011
Location: Rock Hill SC

 
DONATE TO ME
Quote:
Originally Posted by Mills00013 View Post
Isn't this attack better served by simply generating a full list of values using CUDA and then comparing them to the RCK_H CODE Key we have? Then once we figure out which one matches, we will know what 16 character code generated it. If we can find a few matches for a few devices then we will be able to probably figure out the algorithm.
Yes, you could approach the problem with that school of thought, but the file size for that much information would be well over 100 terabytes if my math is close.

as far as the algorithm goes, based on an educated guess, I think it is a MYSQL323 hashing algorithm that inputs the IMEI as Hex to produce the unlock code.I dont see how this is beneficial to us at this point though, given that verizon doesnt use IMEI for their play. Maybe worth looking into for bootloaders that are locked but can get into fastboot and SE doesnt provide an unlock code, outside of verizon of course. The path we are taking now is capable of unlocking most plays.
The Following User Says Thank You to ashergray For This Useful Post: [ Click to Expand ]
 
IronCross1788
Old
#6  
Member
Thanks Meter 0
Posts: 82
Join Date: Mar 2008
Good progress gentlemen. Keep up the amazing work. This device has alot of potential.

Sent from my R800x using Tapatalk
HTC Amaze 4G Rooted & Unlocked EnergyRom 4.0.3
Motorola Razr Maxx 6.16.211
iPhone 4 White 5.1.1 Jailbroken


Sony Ericsson Verizon Xperia Play (Retired)
HTC G1 Rooted & Unlocked (Retired)
HTC EVO Rooted w/Sprint Lovers (Retired)
iPhone 3GS 32GB White (Retired)
HTC HD2 (Retired)
Samsung Vibrant (Retired)
 
Mills00013
Old
#7  
Senior Member
Thanks Meter 128
Posts: 572
Join Date: Oct 2007

 
DONATE TO ME
So is the goal of using oclHashCat-Lite just to compare directly against the key and continue crunching until we get a match? Meaning it wont be exporting anything at all, it will just be a crank until it hits. So some phones might get really lucky and some might get really unlucky in regards to the time frame we are looking at.
 
ashergray
Old
#8  
Senior Member - OP
Thanks Meter 65
Posts: 129
Join Date: Jul 2011
Location: Rock Hill SC

 
DONATE TO ME
Quote:
Originally Posted by Mills00013 View Post
So is the goal of using oclHashCat-Lite just to compare directly against the key and continue crunching until we get a match? Meaning it wont be exporting anything at all, it will just be a crank until it hits. So some phones might get really lucky and some might get really unlucky in regards to the time frame we are looking at.
Yeah, in a sense that's the Idea. Statistically speaking, you will hit 50% mark every time. But, once we have one cracked I have an idea for us CDMA guys. I am waiting to hear back from Blagus on what he thinks.
the TA is digitally signed by SE, preventing us from tampering. but if we just overwrite with a TA we know the unlock for it should work, and hopefully without bricking it, since it is a Verizon TA being overwritten.
I know one guy tried this already but messed up since it was a GSM TA overwriting a CDMA one, different file sizes and everything.
so hopefully it will be much easier once we get one down.
The Following User Says Thank You to ashergray For This Useful Post: [ Click to Expand ]
 
Blagus
Old
#9  
Blagus's Avatar
Recognized Developer
Thanks Meter 1,047
Posts: 1,239
Join Date: Jun 2010

 
DONATE TO ME
Quote:
Originally Posted by ashergray View Post
Yeah, in a sense that's the Idea. Statistically speaking, you will hit 50% mark every time. But, once we have one cracked I have an idea for us CDMA guys. I am waiting to hear back from Blagus on what he thinks.
the TA is digitally signed by SE, preventing us from tampering. but if we just overwrite with a TA we know the unlock for it should work, and hopefully without bricking it, since it is a Verizon TA being overwritten.
I know one guy tried this already but messed up since it was a GSM TA overwriting a CDMA one, different file sizes and everything.
so hopefully it will be much easier once we get one down.
No, because TA contains unique phone data, like IMEI/MEID, RCK_H, etc... you can't have two phones with same IMEI/MEID, right? Also, IMEI/MEID is also stored in OTP and EROM check the two on boot - if they don't match, no booting.
 
ashergray
Old
#10  
Senior Member - OP
Thanks Meter 65
Posts: 129
Join Date: Jul 2011
Location: Rock Hill SC

 
DONATE TO ME
I see, didnt realize that it was tied together like that. Looks like that idea is nixed. Did a prelimanary run on my 3ghz dual core and 8800gt it said almost 70 days before it goes through the full list. Still doing some small scale runs and waiting on atom at hashcat for some help.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes