Manually Rollback - Downloaded from their site.

Search This thread

EncryptedCurse

Senior Member
Jul 9, 2014
652
301
These direct download links are definitely nothing new...
The problem is that the system has a "forward lock." One of the requirements that Amazon uses for verifying this file is that the firmware is a higher version than the current.
 

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,749
2,052
r3pwn.com
These direct download links are definitely nothing new...
The problem is that the system has a "forward lock." One of the requirements that Amazon uses for verifying this file is that the firmware is a higher version than the current.
This is correct. Amazon uses an "anti-rollback protection" system to keep people from rolling back to previous firmware versions by blowing specific qfuses during the upgrade process. Downgrading will result in a permanent brick.
 

Eclipsys

Member
Jul 17, 2014
22
6
This is correct. Amazon uses an "anti-rollback protection" system to keep people from rolling back to previous firmware versions by blowing specific qfuses during the upgrade process. Downgrading will result in a permanent brick.

Aww, a definite disappointment. I'll update the first post to show this. I hadn't read this in any other posts, sorry for the false hope. Thanks for confirming this before I tried it.
 

p1gl3t

Senior Member
Sep 28, 2011
68
98
This is correct. Amazon uses an "anti-rollback protection" system to keep people from rolling back to previous firmware versions by blowing specific qfuses during the upgrade process. Downgrading will result in a permanent brick.
You can actually downgrade the device, but it will get bricked as anti-downgrading is also implemented on the bootloader level.
 

p1gl3t

Senior Member
Sep 28, 2011
68
98
Yes. I stated that. Did you read my post fully?

I must admit to not having read the last sentence. I'm sorry.
I wanted to stress out that you can actually start a downgrade even from 4.5.x. We could exploit this if there isn't any signature verification on the ota archive after the device reboots into recovery.
Do you have any idea who should I ask for a recovery bin dump? Or maybe someone already knows if the signature check is only done in android, before rebooting.
 

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,749
2,052
r3pwn.com
I must admit to not having read the last sentence. I'm sorry.
I wanted to stress out that you can actually start a downgrade even from 4.5.x. We could exploit this if there isn't any signature verification on the ota archive after the device reboots into recovery.
Do you have any idea who should I ask for a recovery bin dump? Or maybe someone already knows if the signature check is only done in android, before rebooting.
It's okay. I know a downgrade from 4.5.X is possible, but people would then need to intercept the traffic by sniffing for a link through logcat. Only then, they could mass-distribute the rollback file from Amazon and hope that the bootloader exploit has not been fixed.
 
  • Like
Reactions: p1gl3t

p1gl3t

Senior Member
Sep 28, 2011
68
98
It's okay. I know a downgrade from 4.5.X is possible, but people would then need to intercept the traffic by sniffing for a link through logcat. Only then, they could mass-distribute the rollback file from Amazon and hope that the bootloader exploit has not been fixed.

I don't think logcat would provide any usable info. I have suggested multiple times and even provided a pretty complete guide for sniffing the actual http traffic.
But I wasn't speaking of the downgrade that amazon provides. I was referring to a experiment that I did to bypass the version check that is enforced at the Android (before rebooting). I managed to flash a 3.2.6 image, but I got a brick as the sbl1 from 3.2.6 has a lower version number. I can bet that the 3.2.7 ota that Amazon provides for downgrade actually has both the build number and the sbl version number higher than the public 4.2.x.

If the recovery doesn't check the signature of the OTA we could do the following:
- provide a bogus image with a higher build number so that it passes the version check
- swap the checker binary from the ota with one that swaps the ota with a valid (signed one) so that it will pass the signature check
- while the android framework is verifying the valid ota swap it again by adb with a crafted ota that has the latest bootloader and kernel so that it can boot
- after the signature check passes the device would reboot and start flashing the crafted ota

If someone would provide a dump of the recovery partition we could disassemble it and see if it does any crypto signature verification.
 

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,749
2,052
r3pwn.com
I don't think logcat would provide any usable info. I have suggested multiple times and even provided a pretty complete guide for sniffing the actual http traffic.
But I wasn't speaking of the downgrade that amazon provides. I was referring to a experiment that I did to bypass the version check that is enforced at the Android (before rebooting). I managed to flash a 3.2.6 image, but I got a brick as the sbl1 from 3.2.6 has a lower version number. I can bet that the 3.2.7 ota that Amazon provides for downgrade actually has both the build number and the sbl version number higher than the public 4.2.x.

If the recovery doesn't check the signature of the OTA we could do the following:
- provide a bogus image with a higher build number so that it passes the version check
- swap the checker binary from the ota with one that swaps the ota with a valid (signed one) so that it will pass the signature check
- while the android framework is verifying the valid ota swap it again by adb with a crafted ota that has the latest bootloader and kernel so that it can boot
- after the signature check passes the device would reboot and start flashing the crafted ota

If someone would provide a dump of the recovery partition we could disassemble it and see if it does any crypto signature verification.
It doesn't do any verification of any sort AFAIK. The only verification is done in recovery mode, and that is done before any binaries of any sort get executed. Also, using the newer bootloader on an older boot image would result in a bootloop, plus you wouldn't be able to install twrp.
 

p1gl3t

Senior Member
Sep 28, 2011
68
98
It doesn't do any verification of any sort AFAIK. The only verification is done in recovery mode, and that is done before any binaries of any sort get executed. Also, using the newer bootloader on an older boot image would result in a bootloop, plus you wouldn't be able to install twrp.

I must contradict you. I have actually managed to re-flash the 4.5.1 ota over the already installed 4.5.1. The complete story is here.
A build number check is enforced at the os level, before restarting. It first extracts build.prop and checks the device type and the build number. If these checks pass it then extracts META-INF/com/amazon/android/check-binary and runs it. This is before any signature check is done, so you can replace check-binary with whatever you want and it will still execute. Unfortunately it executes as the user of the ota app, not as system.
What I did is to replace check-binary with a shell script that replaces the ota that is currently being verified with a signed ota. By providing a signed ota everything will be fine and a reboot to recovery will be triggered.
As I stated in my previous post, an idea would be to replace the signed ota with a crafted one that uses the 4.5.1 bootloader and kernel, but with userspace stuff moded to provide root. As long as the recovery doesn't use the certificates from /system/etc/security/otacerts.zip to verify the signature once again this should work and enable us to flash an unsigned ota.

Also, regarding the bootloop, if you flash a bootloader chain with a lower version number one, the device doesn't bootloop. It doesn't even get to execute the first stage from eMMC (sbl1), let alone to boot the kernel. You end up in QHUSB mode and no way to get out as we do not have the required MPRG for getting access to eMMC. My device has been in this state since Christmas as I didn't have the time to sort out everything for getting a replacement.
I bought it from amazon.co.uk and someone else delivered it for me in my country (Romania). Now I am stuck as I have to provide a UK address to which Amazon will deliver the replacement. I did a bit of research regarding parcel forwarding services but, unfortunately, I didn't manage to find any cheap, reliable ones.

So, if anyone can recommend a UK parcel forwarding service, please shoot.
 
Last edited:

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,749
2,052
r3pwn.com
I must contradict you. I have actually managed to re-flash the 4.5.1 ota over the already installed 4.5.1.
A build number check is enforced at the os level, before restarting. It first extracts build.prop and checks the device type and the build number. If these checks pass it then extracts META-INF/com/amazon/android/check-binary and runs it. This is before any signature check is done, so you can replace check-binary with whatever you want and it will still execute. Unfortunately it executes as the user of the ota app, not as system.
What I did is to replace check-binary with a shell script that replaces the ota that is currently being verified with a signed ota. By providing a signed ota everything will be fine and a reboot to recovery will be triggered.
As I stated in my previous post, an idea would be to replace the signed ota with a crafted one that uses the 4.5.1 bootloader and kernel, but with userspace stuff moded to provide root. As long as the recovery doesn't use the certificates from /system/etc/security/otacerts.zip to verify the signature once again this should work and enable us to flash an unsigned ota.

Also, regarding the bootloop, if you flash a bootloader chain with a lower version number one, the device doesn't bootloop. It doesn't even get to execute the first stage from eMMC (sbl1), let alone to boot the kernel. You end up in QHUSB mode and no way to get out as we do not have the required MPRG for getting access to eMMC. My device has been in this state since Christmas as I didn't have the time to sort out everything for getting a replacement.
I bought it from amazon.co.uk and someone else delivered it for me in my country (Romania). Now I am stuck as I have to provide a UK address to which Amazon will deliver the replacement. I did a bit of research regarding parcel forwarding services but, unfortunately, I didn't manage to find any cheap, reliable ones.

So, if anyone can recommend a UK parcel forwarding service, please shoot.

It still does a signature verification in recovery(with keys stored in the recovery itself, I believe), so flashing an unsigned zip (or bin, whichever) will result in an error from recovery followed by a reboot.
 

p1gl3t

Senior Member
Sep 28, 2011
68
98
It still does a signature verification in recovery(with keys stored in the recovery itself, I believe), so flashing an unsigned zip (or bin, whichever) will result in an error from recovery followed by a reboot.

Are you 100% positive about this? Maybe there's still away to get around it. Could you please provide a dump of the recovery or know someone who can? I would like to disassemble it and see if there is something I can do.
 

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,749
2,052
r3pwn.com
Are you 100% positive about this? Maybe there's still away to get around it. Could you please provide a dump of the recovery or know someone who can? I would like to disassemble it and see if there is something I can do.
I don't have the device, I'm just stating what I know from just a general knowledge of android devices as well as how well Amazon protected their previous models.
 

p1gl3t

Senior Member
Sep 28, 2011
68
98
I don't have the device, I'm just stating what I know from just a general knowledge of android devices as well as how well Amazon protected their previous models.

Ok, so if bypassing the signature verification won't work, how about sniffing the downgrade ota. Do you know if the ota app uses a hardcoded ssl identity for the server? If not we could do a mitm and get our hands on the zip.
 

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,749
2,052
r3pwn.com
Ok, so if bypassing the signature verification won't work, how about sniffing the downgrade ota. Do you know if the ota app uses a hardcoded ssl identity for the server? If not we could do a mitm and get our hands on the zip.
One of my other replies had suggested that. Shouldn't be too difficult.
 

johim

Senior Member
Jun 30, 2012
96
11
I bought it from amazon.co.uk and someone else delivered it for me in my country (Romania). Now I am stuck as I have to provide a UK address to which Amazon will deliver the replacement. I did a bit of research regarding parcel forwarding services but, unfortunately, I didn't manage to find any cheap, reliable ones.

So, if anyone can recommend a UK parcel forwarding service, please shoot.
You can return it via regular post. Amazon will refund the shipping costs.
 

bsdnix

Senior Member
Mar 17, 2011
90
5
It still does a signature verification in recovery(with keys stored in the recovery itself, I believe), so flashing an unsigned zip (or bin, whichever) will result in an error from recovery followed by a reboot.
Can you please explain the procedure how did you manage to flash 4.5.1 to 4.5.1, because I am trying to do the same on 4.5.5.1 and it gives me an error that it is lower version even though we are talking about same version of the rom...?
 

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,749
2,052
r3pwn.com
Can you please explain the procedure how did you manage to flash 4.5.1 to 4.5.1, because I am trying to do the same on 4.5.5.1 and it gives me an error that it is lower version even though we are talking about same version of the rom...?

I didn't. I never had an HDX.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Information already known. Deleted to keep people from trying.
    1
    I must admit to not having read the last sentence. I'm sorry.
    I wanted to stress out that you can actually start a downgrade even from 4.5.x. We could exploit this if there isn't any signature verification on the ota archive after the device reboots into recovery.
    Do you have any idea who should I ask for a recovery bin dump? Or maybe someone already knows if the signature check is only done in android, before rebooting.
    It's okay. I know a downgrade from 4.5.X is possible, but people would then need to intercept the traffic by sniffing for a link through logcat. Only then, they could mass-distribute the rollback file from Amazon and hope that the bootloader exploit has not been fixed.