FORUMS

The OnePlus 2 & The Year of Smartphone Compromises

We are very close to entering the last third of 2015, and we have now seen many of … more

OnePlus 2 Teardown, Major Android Vulnerability – XDA TV

The OnePlus 2 has been officially released. That and much more news is … more

What Do You Think About Fingerprint Scanners?

More and more phones are featuring fingerprint scanners, and with many promising … more

What’s Next for Samsung and Its Flagships?

If we were to say that the Galaxy S6 was a leap of faith made by Samsung, we … more

R800X Bootloader CRACKED!

129 posts
Thanks Meter: 65
 
By ashergray, Senior Member on 2nd August 2011, 05:14 AM
Post Reply Subscribe to Thread Email Thread
BOOTLOADER CRACKED!




EDIT:After discussing it with Mills and Blagus, I will not be publicly sharing my knowledge on how to crack the boot loader. This is only temporary until we(all r800x owners) can get a more permanent solution.
maybe another week or so before anything is solid.


UPDATE:
there is no longer a free solution for unlocking the play.
please contact blagus or yifanlu to see if they have your meid on file.
and check out the current paid solution. :/






I have attached screenshots as proof of root
Attached Thumbnails
Click image for larger version

Name:	cracked.jpg
Views:	5192
Size:	52.9 KB
ID:	676553   Click image for larger version

Name:	screenshot_2.jpg
Views:	3441
Size:	21.2 KB
ID:	676619   Click image for larger version

Name:	screenshot_1.jpg
Views:	2593
Size:	17.7 KB
ID:	676620   Click image for larger version

Name:	screenshot_3.jpg
Views:	3009
Size:	29.0 KB
ID:	676621   Click image for larger version

Name:	screenshot.jpg
Views:	2675
Size:	32.2 KB
ID:	676622  
Last edited by ashergray; 13th September 2011 at 05:32 PM. Reason: update
The Following 27 Users Say Thank You to ashergray For This Useful Post: [ View ]
 
 
2nd August 2011, 07:40 AM |#2  
Blagus's Avatar
Recognized Developer
Thanks Meter: 1,054
 
Donate to Me
More
If you have already specified charset manually then why set --hex-charset again?

Sent from my R800i using XDA App
2nd August 2011, 03:48 PM |#3  
Senior Member
Thanks Meter: 130
 
Donate to Me
More
Isn't this attack better served by simply generating a full list of values using CUDA and then comparing them to the RCK_H CODE Key we have? Then once we figure out which one matches, we will know what 16 character code generated it. If we can find a few matches for a few devices then we will be able to probably figure out the algorithm.
2nd August 2011, 05:37 PM |#4  
OP Senior Member
Flag Rock Hill SC
Thanks Meter: 65
 
Donate to Me
More
Quote:
Originally Posted by Blagus

If you have already specified charset manually then why set --hex-charset again?

Sent from my R800i using XDA App

because when you specify hex charset it sends the information as the hex it represents rather than the string of characters. it does make a difference here.
ABCDEF1234567890 Hashed as HEX
Code:
eb5f4f42e353764daad987ef5b3a5df79339b021f08e90b1f00e1e7a79b15972
versus submitting it as text
ABCDEF1234567890 hashed as text
Code:
2b749913055289cb3a5c602a17196b5437dc59bba50e986ea449012a303f7201
its subtle, but its a big change in the hashing process.
if you hash the unlock code as text you get something completely different than if you were to submit it as the HEX it represents, which is what our RCK_H code is.
The Following User Says Thank You to ashergray For This Useful Post: [ View ]
2nd August 2011, 06:20 PM |#5  
OP Senior Member
Flag Rock Hill SC
Thanks Meter: 65
 
Donate to Me
More
Quote:
Originally Posted by Mills00013

Isn't this attack better served by simply generating a full list of values using CUDA and then comparing them to the RCK_H CODE Key we have? Then once we figure out which one matches, we will know what 16 character code generated it. If we can find a few matches for a few devices then we will be able to probably figure out the algorithm.

Yes, you could approach the problem with that school of thought, but the file size for that much information would be well over 100 terabytes if my math is close.

as far as the algorithm goes, based on an educated guess, I think it is a MYSQL323 hashing algorithm that inputs the IMEI as Hex to produce the unlock code.I dont see how this is beneficial to us at this point though, given that verizon doesnt use IMEI for their play. Maybe worth looking into for bootloaders that are locked but can get into fastboot and SE doesnt provide an unlock code, outside of verizon of course. The path we are taking now is capable of unlocking most plays.
The Following User Says Thank You to ashergray For This Useful Post: [ View ]
2nd August 2011, 06:40 PM |#6  
Member
Thanks Meter: 0
 
More
Good progress gentlemen. Keep up the amazing work. This device has alot of potential.

Sent from my R800x using Tapatalk
2nd August 2011, 09:11 PM |#7  
Senior Member
Thanks Meter: 130
 
Donate to Me
More
So is the goal of using oclHashCat-Lite just to compare directly against the key and continue crunching until we get a match? Meaning it wont be exporting anything at all, it will just be a crank until it hits. So some phones might get really lucky and some might get really unlucky in regards to the time frame we are looking at.
2nd August 2011, 09:49 PM |#8  
OP Senior Member
Flag Rock Hill SC
Thanks Meter: 65
 
Donate to Me
More
Quote:
Originally Posted by Mills00013

So is the goal of using oclHashCat-Lite just to compare directly against the key and continue crunching until we get a match? Meaning it wont be exporting anything at all, it will just be a crank until it hits. So some phones might get really lucky and some might get really unlucky in regards to the time frame we are looking at.

Yeah, in a sense that's the Idea. Statistically speaking, you will hit 50% mark every time. But, once we have one cracked I have an idea for us CDMA guys. I am waiting to hear back from Blagus on what he thinks.
the TA is digitally signed by SE, preventing us from tampering. but if we just overwrite with a TA we know the unlock for it should work, and hopefully without bricking it, since it is a Verizon TA being overwritten.
I know one guy tried this already but messed up since it was a GSM TA overwriting a CDMA one, different file sizes and everything.
so hopefully it will be much easier once we get one down.
The Following User Says Thank You to ashergray For This Useful Post: [ View ]
2nd August 2011, 10:14 PM |#9  
Blagus's Avatar
Recognized Developer
Thanks Meter: 1,054
 
Donate to Me
More
Quote:
Originally Posted by ashergray

Yeah, in a sense that's the Idea. Statistically speaking, you will hit 50% mark every time. But, once we have one cracked I have an idea for us CDMA guys. I am waiting to hear back from Blagus on what he thinks.
the TA is digitally signed by SE, preventing us from tampering. but if we just overwrite with a TA we know the unlock for it should work, and hopefully without bricking it, since it is a Verizon TA being overwritten.
I know one guy tried this already but messed up since it was a GSM TA overwriting a CDMA one, different file sizes and everything.
so hopefully it will be much easier once we get one down.

No, because TA contains unique phone data, like IMEI/MEID, RCK_H, etc... you can't have two phones with same IMEI/MEID, right? Also, IMEI/MEID is also stored in OTP and EROM check the two on boot - if they don't match, no booting.
2nd August 2011, 11:05 PM |#10  
OP Senior Member
Flag Rock Hill SC
Thanks Meter: 65
 
Donate to Me
More
I see, didnt realize that it was tied together like that. Looks like that idea is nixed. Did a prelimanary run on my 3ghz dual core and 8800gt it said almost 70 days before it goes through the full list. Still doing some small scale runs and waiting on atom at hashcat for some help.
3rd August 2011, 04:01 AM |#11  
Senior Member
Thanks Meter: 130
 
Donate to Me
More
The guy who bricked his play was me... So i know all about how finicky that part of the phone can be. I would love to dedicate some cycles to cracking this thing. Realistically seventy days is not that bad. Certainly doesn't hurt to get the ball rolling and if we get a result before SE officially released the method, then we are ahead of the curve.

We could also do this as a team effort. Meaning if we took one person's key and everyone took a certain chunk and tried just those. If we had 7 people try it we would have a crack in ten days....

Also I'd love to give the same script a go if you got the command worked out already. I've got an 8 core i7 with a Quaddro FX800 card. This thing is more suited to crunch proteins in my lab but i think it could do well for it to take a few days and crack some code.

Sent from my R800x using XDA App
Last edited by Mills00013; 3rd August 2011 at 04:04 AM.

Read More
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes