FORUMS

[WIP] Nexus One - S-OFF (locking bootloader again)

132 posts
Thanks Meter: 142
 
By rolle3k, Senior Member on 30th January 2011, 05:02 PM
Post Reply Email Thread
Hiya!

I've disassembled hboot-0.35.0017 for the nexus one. Security check is done by a function that I have patched.

I attached my current IDA (5.5) Database. Patched HBOOT can be found here.

We still need a method/exploit to flash this modified HBOOT on our device so we can have S-OFF.
Attached Files
File Type: zip HBOOT-IDA-Database.zip - [Click for QR Code] (938.7 KB, 1730 views)
The Following 5 Users Say Thank You to rolle3k For This Useful Post: [ View ] Gift rolle3k Ad-Free
30th January 2011, 07:10 PM |#2  
Senior Member
Flag Morgonton
Thanks Meter: 6
 
More
So does this mean we can lock or is it just a lock in progress and the modified hboot is it flashable

Sent from my Nexus One using XDA App
30th January 2011, 07:22 PM |#3  
OP Senior Member
Flag dein Vater
Thanks Meter: 142
 
More
Quote:
Originally Posted by jdmoore81

So does this mean we can lock or is it just a lock in progress and the modified hboot is it flashable

Sent from my Nexus One using XDA App

We just need to find a way to flash that modified HBOOT on the nexus one and we can lock it.
GuestK00255
30th January 2011, 07:32 PM |#4  
Guest
Thanks Meter: 0
 
More
Quote:
Originally Posted by rolle3k

We just need to find a way to flash that modified HBOOT on the nexus one and we can lock it.

Awesome! even if I don't exactly know the variables in play this sounds good and exciting
30th January 2011, 08:29 PM |#5  
Senior Member
Flag Morgonton
Thanks Meter: 6
 
More
What if the hboot is made flashable through custom recovery.

Sent from my Nexus One using XDA App
30th January 2011, 08:41 PM |#6  
OP Senior Member
Flag dein Vater
Thanks Meter: 142
 
More
Quote:
Originally Posted by jdmoore81

What if the hboot is made flashable through custom recovery.

Sent from my Nexus One using XDA App

As far as I understood this:

Code:
/* Bootloader / Recovery Flow
 *
 * On every boot, the bootloader will read the bootloader_message
 * from flash and check the command field.  The bootloader should
 * deal with the command field not having a 0 terminator correctly
 * (so as to not crash if the block is invalid or corrupt).
 *
 * The bootloader will have to publish the partition that contains
 * the bootloader_message to the linux kernel so it can update it.
 *
 * if command == "boot-recovery" -> boot recovery.img
 * else if command == "update-radio" -> update radio image (below)
 * else if command == "update-hboot" -> update hboot image (below)
 * else -> boot boot.img (normal boot)
 *
 * Radio/Hboot Update Flow
 * 1. the bootloader will attempt to load and validate the header
 * 2. if the header is invalid, status="invalid-update", goto #8
 * 3. display the busy image on-screen
 * 4. if the update image is invalid, status="invalid-radio-image", goto #8
 * 5. attempt to update the firmware (depending on the command)
 * 6. if successful, status="okay", goto #8
 * 7. if failed, and the old image can still boot, status="failed-update"
 * 8. write the bootloader_message, leaving the recovery field
 *    unchanged, updating status, and setting command to
 *    "boot-recovery"
 * 9. reboot
 *
 * The bootloader will not modify or erase the cache partition.
 * It is recovery's responsibility to clean up the mess afterwards.
 */
The bootloader is flashing itself, the recovery just informs it to do so.
The Following User Says Thank You to rolle3k For This Useful Post: [ View ] Gift rolle3k Ad-Free
30th January 2011, 08:45 PM |#7  
efrant's Avatar
Senior Moderator / Developers Relations
Flag Montreal
Thanks Meter: 11,533
 
Donate to Me
More
Quote:
Originally Posted by jdmoore81

What if the hboot is made flashable through custom recovery.

Sent from my Nexus One using XDA App

+1. What if you just use a custom recovery with signiture verification off?

@rolle3k: Assuming the we can get it to flash, would you be able to make the same mod to the newer HBOOT HBOOT-0.35.0017
30th January 2011, 08:50 PM |#8  
OP Senior Member
Flag dein Vater
Thanks Meter: 142
 
More
Quote:
Originally Posted by efrant

+1. What if you just use a custom recovery with signiture verification off?

@rolle3k: Assuming the we can get it to flash, would you be able to make the same mod to the newer HBOOT HBOOT-0.35.0017

Sure. I will edit it and try to flash it with verification off. If it works, I will let you guys know..
30th January 2011, 09:13 PM |#9  
MicroMod777's Avatar
Recognized Contributor
Flag Los Angeles
Thanks Meter: 4,668
 
More
Great work here! Keep it up!
30th January 2011, 09:16 PM |#10  
OP Senior Member
Flag dein Vater
Thanks Meter: 142
 
More
I hacked the new hboot, but as expected, it failed to install because the signature is invaild. However, I attached the hboot nethertheless. If you manage to flash it, you can just use "fastboot oem lock" without problems thus locking the bootloader once again.
Attached Files
File Type: zip rolle3k-hboot-0.35.0017.zip - [Click for QR Code] (379.6 KB, 415 views)
The Following User Says Thank You to rolle3k For This Useful Post: [ View ] Gift rolle3k Ad-Free
30th January 2011, 09:33 PM |#11  
redstar3894's Avatar
Retired Recognized Developer
Flag Chicago, IL
Thanks Meter: 119
 
Donate to Me
More
Quote:
Originally Posted by rolle3k

I hacked the new hboot, but as expected, it failed to install because the signature is invaild. However, I attached the hboot nethertheless. If you manage to flash it, you can just use "fastboot oem lock" without problems thus locking the bootloader once again.

You won't be able to flash it unless you have an S-OFF nexus... otherwise HBOOT will refuse to flash anything that doesn't have a signature match...

That's why if you try flashing a Desire Radio to the N1, it won't work with a 'normal' nexus... you need to have the S-OFF in the bootloader as previously indicated...

So we would need to find a way (like they've done with the EVO, DINC, etc...) to get past the NAND lock (S-OFF)... I just don't think that people have tried to get that accomplished with the nexus since you can just do 'fastboot oem unlock' and it's done, unlike the other devices...


Very nice work though... I don't think I've seen anyone else get this far... maybe someone could try to get a hold of unrevoked and see if someone there could be of assistance since they haven't published their method of bypassing the NAND lock... but then even if we were able to bypass the NAND lock we would still potentially have the already unlocked bootloader there... if that makes sense...
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes