BlackBerry PRIV Root Bounty
- Thread starter TechKnowGrappler
- Start date
I would gladly offer 70$ for being able to root of the priv (or bb keyone)
Priv, the last of the real blackberry hardware
No update? I guess the Priv hardware will die before this bounty claimed
No update? I guess the Priv hardware will die before this bounty claimed
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
10UPDATED: 12/16/15
BB Priv Untethered Root Bounty Totals = $1000
BB Priv Tethered Root Bounty Totals = $140
Details are in Google Sheets
https://docs.google.com/spreadsheet...cn6EMoAYMYbp13Fw-FevDbU/edit?usp=docslist_api
Who's coming with us? [emoji1]
*** If you don't specify tethered our untethered the donation account will added only to the untethered bounty4also done all fastboot commands... nothing to exploit there...
all commands that has ":" meaning it can get user arguments that we can control but sadly for us input validation is good.
you can see the commands below and all the functions handlers:
Code:"download:", 0xF9287BC "getvar:", 0xF928660 "oem mmcinfo", 0xF92E764 "oem enable-charger-screen", 0xF92F414 "oem disable-charger-screen", 0xF92F50C "oem info", 0xF92F85C "oem bootlog", 0xF92EC0C "oem securewipe", 0xF92E2F0 "oem blocklist-wipe", 0xF92E070 "oem grswipe", 0xF92E238 "oem enable-usb-reset", 0xF92E020 "oem enable-usb-shutdown", 0xF92DFD0 "oem led:", 0xF939AE4 "oem clear-anti-theft", 0xF92EFC4 "oem format", 0xF92E670 "oem gptinfo", 0xF92F170 "oem set-factory-mode", 0xF92E1A8 -> not possible configured to always fail on production FW. "oem set-product-mode", 0xF92E118 "oem erase-ddr-training-primary", 0xF92F34C "oem erase-ddr-training-backup", 0xF92E3A8 "oem bootmetrics", 0xF951D04 "oem getvarp:", 0xF92E504 "oem dmesg", 0xF92F2CC "oem mmchealth", 0xF933C40 "oem console", 0xF92F638 "oem clear-lal", 0xF92E494
i have seen an interesting flow in the boot chain update (0xF938DB8) but i don't have high hopes on that since it later reboot the platform and will validate the signatures (that is already ok) but i'm still poking here and there..3i think that the "aboot" module is well written and no mistakes has been made in that module. meaning, this leave us with finding a bug 0day in the Qualcomm 808 TrustZone or to just exploit an existing bug in the Android Kernel.
a ROM exploit is something that i didn't looked for since it's blindly needing to be exploit and investigated.
so a Kernel Android exploit is the way to get the easiest root for now and this can be achieved on the original release of the Priv (without the new FW update) or when a new kernel bug will be out we can exploit as well the new FW update.
i can build this exploit (for the old version of the Priv before the security patches) but the question is, how much this will be worth for you ?3
New posts
-
-
Can anyone get the T-Mobile apps from this firmware?
- Latest: DinguswithTNL
-
-
Question "Need Help" UBER DRIVER APP NOT GO ONLINE
- Latest: FredMontteiro