[WIP] Nexus One - S-OFF (locking bootloader again)

Search This thread
By:
Advanced…
R

rolle3k

Senior Member
Feb 6, 2010
132
139
dein Vater
Hiya!

I've disassembled hboot-0.35.0017 for the nexus one. Security check is done by a function that I have patched.

I attached my current IDA (5.5) Database. Patched HBOOT can be found here.

We still need a method/exploit to flash this modified HBOOT on our device so we can have S-OFF.
 

Attachments

  • HBOOT-IDA-Database.zip
    938.7 KB · Views: 1,736
Last edited:
  • Like
Reactions: aliakil, efrant, dnlsmy and 2 others
J

jdmoore81

Senior Member
Dec 27, 2009
317
6
Morgonton
So does this mean we can lock or is it just a lock in progress and the modified hboot is it flashable

Sent from my Nexus One using XDA App
 
R

rolle3k

Senior Member
Feb 6, 2010
132
139
dein Vater
jdmoore81 said:
What if the hboot is made flashable through custom recovery.

Sent from my Nexus One using XDA App
Click to expand...
Click to collapse

As far as I understood this:

Code: 
/* Bootloader / Recovery Flow
 *
 * On every boot, the bootloader will read the bootloader_message
 * from flash and check the command field.  The bootloader should
 * deal with the command field not having a 0 terminator correctly
 * (so as to not crash if the block is invalid or corrupt).
 *
 * The bootloader will have to publish the partition that contains
 * the bootloader_message to the linux kernel so it can update it.
 *
 * if command == "boot-recovery" -> boot recovery.img
 * else if command == "update-radio" -> update radio image (below)
 * else if command == "update-hboot" -> update hboot image (below)
 * else -> boot boot.img (normal boot)
 *
 * Radio/Hboot Update Flow
 * 1. the bootloader will attempt to load and validate the header
 * 2. if the header is invalid, status="invalid-update", goto #8
 * 3. display the busy image on-screen
 * 4. if the update image is invalid, status="invalid-radio-image", goto #8
 * 5. attempt to update the firmware (depending on the command)
 * 6. if successful, status="okay", goto #8
 * 7. if failed, and the old image can still boot, status="failed-update"
 * 8. write the bootloader_message, leaving the recovery field
 *    unchanged, updating status, and setting command to
 *    "boot-recovery"
 * 9. reboot
 *
 * The bootloader will not modify or erase the cache partition.
 * It is recovery's responsibility to clean up the mess afterwards.
 */
The bootloader is flashing itself, the recovery just informs it to do so.
 
  • Like
Reactions: efrant
R

rolle3k

Senior Member
Feb 6, 2010
132
139
dein Vater
I hacked the new hboot, but as expected, it failed to install because the signature is invaild. However, I attached the hboot nethertheless. If you manage to flash it, you can just use "fastboot oem lock" without problems thus locking the bootloader once again.
 

Attachments

  • rolle3k-hboot-0.35.0017.zip
    379.6 KB · Views: 421
  • Like
Reactions: efrant
redstar3894

redstar3894

Retired Recognized Developer
Jun 3, 2010
428
119
Chicago, IL
redstar.euroskank.com
rolle3k said:
I hacked the new hboot, but as expected, it failed to install because the signature is invaild. However, I attached the hboot nethertheless. If you manage to flash it, you can just use "fastboot oem lock" without problems thus locking the bootloader once again.
Click to expand...
Click to collapse
You won't be able to flash it unless you have an S-OFF nexus... otherwise HBOOT will refuse to flash anything that doesn't have a signature match...

That's why if you try flashing a Desire Radio to the N1, it won't work with a 'normal' nexus... you need to have the S-OFF in the bootloader as previously indicated...

So we would need to find a way (like they've done with the EVO, DINC, etc...) to get past the NAND lock (S-OFF)... I just don't think that people have tried to get that accomplished with the nexus since you can just do 'fastboot oem unlock' and it's done, unlike the other devices... :rolleyes:


Very nice work though... I don't think I've seen anyone else get this far... maybe someone could try to get a hold of unrevoked and see if someone there could be of assistance since they haven't published their method of bypassing the NAND lock... but then even if we were able to bypass the NAND lock we would still potentially have the already unlocked bootloader there... if that makes sense... :cool:
 
E

ezeldin

Member
Jul 19, 2010
6
0
rolle3k said:
I hacked the new hboot, but as expected, it failed to install because the signature is invaild. However, I attached the hboot nethertheless. If you manage to flash it, you can just use "fastboot oem lock" without problems thus locking the bootloader once again.
Click to expand...
Click to collapse

how i can used this file
??????????????????????????????????//
 
MicroMod777

MicroMod777

Recognized Contributor
Apr 23, 2010
7,388
4,664
Los Angeles
www.youtube.com
Amazon Fire HD 8 and HD 10
Amazon Fire
rolle3k said:
I hacked the new hboot, but as expected, it failed to install because the signature is invaild. However, I attached the hboot nethertheless. If you manage to flash it, you can just use "fastboot oem lock" without problems thus locking the bootloader once again.
Click to expand...
Click to collapse

Does it just need to be signed? Can you just uncheck signature verification from the Recovery program?
 
R

rolle3k

Senior Member
Feb 6, 2010
132
139
dein Vater
redstar3894 said:
You won't be able to flash it unless you have an S-OFF nexus... otherwise HBOOT will refuse to flash anything that doesn't have a signature match...

That's why if you try flashing a Desire Radio to the N1, it won't work with a 'normal' nexus... you need to have the S-OFF in the bootloader as previously indicated...

So we would need to find a way (like they've done with the EVO, DINC, etc...) to get past the NAND lock (S-OFF)... I just don't think that people have tried to get that accomplished with the nexus since you can just do 'fastboot oem unlock' and it's done, unlike the other devices... :rolleyes:


Very nice work though... I don't think I've seen anyone else get this far... maybe someone could try to get a hold of unrevoked and see if someone there could be of assistance since they haven't published their method of bypassing the NAND lock... but then even if we were able to bypass the NAND lock we would still potentially have the already unlocked bootloader there... if that makes sense... :cool:
Click to expand...
Click to collapse

Thanks a lot for your post. Altho I was told that unrevoked's exploit does not seem to work with the nexus one bootloader, as it differs way too much from the desires bootloader.

MicroMod777 said:
Does it just need to be signed? Can you just uncheck signature verification from the Recovery program?
Click to expand...
Click to collapse

Unfortunately that does not the trick. The recovery just tells the HBoot to flash an radio/hboot - it can not do that itself, the HBoot still checks the signature.

/EDIT:

[10:28] <@IEF> Bumble-bee: the exploit currently does not work on N1.
[10:29] <@IEF> it's on of the few devices that's missing the interface to hboot.
[10:29] <@IEF> *one

The exploit used by AlphaRev doesn't work on the N1 unfortunately ;(
 
Last edited:
  • Like
Reactions: efrant
R

rolle3k

Senior Member
Feb 6, 2010
132
139
dein Vater
Well, I prepared a HBOOT image which has the security check patched, that means security will be off as long as it is flashed. I could even add some code which would set the security flag directly, but that will stay open for the future until someone comes up with a solution to flash an unsigned HBOOT.
 
  • Like
Reactions: efrant
efrant

efrant

Retired Senior Moderator & Developers Relations
Feb 12, 2009
11,468
10,985
Montreal
Samsung Galaxy S20
rolle3k said:
Well, I prepared a HBOOT image which has the security check patched, that means security will be off as long as it is flashed. I could even add some code which would set the security flag directly, but that will stay open for the future until someone comes up with a solution to flash an unsigned HBOOT.
Click to expand...
Click to collapse
Thanks for your efforts thus far.
 
You must log in or register to reply here.

Similar threads

imfloflo
[NIGHTLY] [ROM] [GWK74] CyanogenMod 7 for vendor Passion (HTC Nexus One) - KANG
Replies
23K
Views
4M
V
Verrocio
cyanogen
[ROM][BBQ] CyanogenMod-6.1 for Nexus One :: V6.1.1 (12/15/2010)
Replies
6K
Views
1M
rcunningham
rcunningham
rodigezstyle
[ROM] RoDrIgUeZsTyLe™ MIUIMOD [v3.6 FIX MULTI/D2SD] > Stable & Fast for All < [06/11]
Replies
10K
Views
2M
M
mr-blue001
cyanogen
[ROM] CyanogenMod-5: Kang Central Station (STABLE) [06/19/2010 / 5.0.8]
Replies
11K
Views
2M
M
MoeNeXus
texasice
[ROM] [DEV] [ICS 4.0.4] *7/1* Evervolv's Aosp TexasIce Cream Sandwich
Replies
4K
Views
2M
G
gcbxda

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 5
    R
    rolle3k
    Hiya!

    I've disassembled hboot-0.35.0017 for the nexus one. Security check is done by a function that I have patched.

    I attached my current IDA (5.5) Database. Patched HBOOT can be found here.

    We still need a method/exploit to flash this modified HBOOT on our device so we can have S-OFF.
    View
    3
    D
    dla5244
    blackrose

    blackrose can flash everything.
    we can reflash custom bootloader.
    maybe you can execute fastboot function(boot, flash) without unlock(without change lockflag):)

    Our quest seems to modify bootloader and dump hboot 0.35.2017(ENG S-OFF)

    but bootloader relock requires radio s-off

    http://xdaforums.com/showthread.php?t=1270589
    View
    2
    M
    mathieulh
    GldRush98 said:
    Good luck guys. I think you're traveling down a dead end road with out the signing key though.
    This is probably how HTC re-locks devices... they have a signed hboot that lets them re-lock, then they slap the standard hboot back on there. If only we could get a hold of the necessary file(s). Too bad... I don't think any HTC engineers speak English :-\
    Again, good luck.
    Click to expand...
    Click to collapse

    No it's not, what they do is to insert a special a HTC "smart card" into the sim slot, then power on to the bootloader menu and select the "SIMLOCK" option which will send a special AT unlock command to the radio which well check the "smart card" if the check passes it will set the security flag to off, otherwise it will return an error. The "SIMLOCK" menu also works when S-OFF is enabled, when it is, the "smart card" check is skipped by the radio and the security flag will then be set to on.

    There is also a check in hboot preventing you from being supercid as long as security is enabled. Once the security flag is set to off, hboot just acts as an engineering SPL and will happily relock your bootloader. That way there is no need to reflash the hboot and there is also no need to worry about a leaked signed engineering SPL
    View
    2
    R
    rolle3k
    A little update about the current situation: As long as no HTC engineer is up to sign my HBOOT.nb0 we will have to look out for an exploit to inject code to temporarily toggle the secu flag off. Then we can flash an unsigned HBOOT and we have S-OFF which means we can finally lock our devices again.

    The Secuflag is currently checked like this:
    Code: 
    sub_8E047AB8

var_4= -4

STR     R4, [SP,#var_4]!
MOV     R3, 0x8E0978B4
LDR     R4, [R3]
ADD     R4, R4, #0xFC000
ADD     R4, R4, #0xA0
LDR     R0, [R4]
AND     R0, R0, #1
LDMFD   SP!, {R4}
BX      LR
; End of function sub_8E047AB8

    The whole function looks like this in C:

    Code: 
    int isSecuFlagSet( void )
{
  return (*( *(uint32_t*)0x8E0978B4 + 0xFC0A0 )) & 1;
}

    We can overwrite this easily with code like this (if we find an exploit!)

    Code: 
    void removeSecuFlag( void )
{
 uint32_t* flags = *(uint32_t*)0x8E0978B4 + 0xFC0A0;
 *flags &= ~0x01;
}

    So yea, it's just about time, patient and luck ;p

    I've teamed up with RunTimeWorld, jkoljo and maxisma - you can find us in #runtimeworld on freenode, if you want to help.
    View
    2
    R
    rolle3k
    I uploaded my IDA Database of the newst HBOOT: http://ul.to/yiynox

    Security check function has been identified. I will upload my patched HBOOT tomorrow as I need to get some sleep now.
    View

New posts