BlackBerry PRIV Root Bounty

Search This thread
Jul 6, 2015
33
16
Los Angeles
UPDATED: 12/16/15

BB Priv Untethered Root Bounty Totals = $1000
BB Priv Tethered Root Bounty Totals = $140

Details are in Google Sheets
https://docs.google.com/spreadsheet...cn6EMoAYMYbp13Fw-FevDbU/edit?usp=docslist_api

bb6c9467eba8f5ad9eafbe8cc8372629.jpg


Who's coming with us? [emoji1]

*** If you don't specify tethered our untethered the donation account will added only to the untethered bounty
 
Last edited:

santimaster2000

Senior Member
Dec 25, 2009
374
96
Buenos Aires
The root request is for untethered? Or tethered ?



Sent from my Z10 using xda premium

As long as I can install AdAway, block everything, and the changes to the host file remain after reboot, I'm fine with that, I'll still give my $ 100 to anyone that can make that happen, I don't need a Custom ROM, Bootloader Unlock or anything like, I would like to see them happen, but I'm not holding my breath for them, I just want to block ads, nothing more.
 
  • Like
Reactions: flowerpower.nl

Artemis-kun

Senior Member
Jan 29, 2012
128
57
From my experiences, usually these threads come to fruition and people deliver the payments once the bounty is hunted. Definitely does rely on the honour system, though. Maybe someone could set up one of those crowd-funding things? Heh.
 

santimaster2000

Senior Member
Dec 25, 2009
374
96
Buenos Aires
From my experiences, usually these threads come to fruition and people deliver the payments once the bounty is hunted. Definitely does rely on the honour system, though. Maybe someone could set up one of those crowd-funding things? Heh.

I've already took part on the Custom ROM bounty for the Samsung Captivate Glide, and I kept my word.
 
Jul 6, 2015
33
16
Los Angeles
As long as I can install AdAway, block everything, and the changes to the host file remain after reboot, I'm fine with that, I'll still give my $ 100 to anyone that can make that happen, I don't need a Custom ROM, Bootloader Unlock or anything like, I would like to see them happen, but I'm not holding my breath for them, I just want to block ads, nothing more.
I want root for Tasker, Xposed, & Titanium Backup. I have been using these apps for so long now that the inability to use them effect my purchasing choices

I even switched to T-Mobile because they were not locking down their phones as much as Verizon & AT&T.

I just hope we can find a nice middle ground to balance the security & privacy BlackBerry offers with the flexibility Android users embrace.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 10
    UPDATED: 12/16/15

    BB Priv Untethered Root Bounty Totals = $1000
    BB Priv Tethered Root Bounty Totals = $140

    Details are in Google Sheets
    https://docs.google.com/spreadsheet...cn6EMoAYMYbp13Fw-FevDbU/edit?usp=docslist_api

    bb6c9467eba8f5ad9eafbe8cc8372629.jpg


    Who's coming with us? [emoji1]

    *** If you don't specify tethered our untethered the donation account will added only to the untethered bounty
    6
    done complete reverse engineering to the "aboot" image signature verification and no vulnerabilities there...
    moving now to the USB stack in aboot to look for issues in the usb protocol and in the fastboot commands...
    4
    also done all fastboot commands... nothing to exploit there...
    all commands that has ":" meaning it can get user arguments that we can control but sadly for us input validation is good.

    you can see the commands below and all the functions handlers:

    Code:
    "download:", 0xF9287BC
    "getvar:", 0xF928660
    "oem mmcinfo", 0xF92E764
    "oem enable-charger-screen", 0xF92F414
    "oem disable-charger-screen", 0xF92F50C
    "oem info", 0xF92F85C
    "oem bootlog", 0xF92EC0C
    "oem securewipe", 0xF92E2F0
    "oem blocklist-wipe", 0xF92E070
    "oem grswipe", 0xF92E238
    "oem enable-usb-reset", 0xF92E020
    "oem enable-usb-shutdown", 0xF92DFD0
    "oem led:", 0xF939AE4
    "oem clear-anti-theft", 0xF92EFC4
    "oem format", 0xF92E670
    "oem gptinfo", 0xF92F170
    "oem set-factory-mode", 0xF92E1A8   -> not possible configured to always fail on production FW.
    "oem set-product-mode", 0xF92E118
    "oem erase-ddr-training-primary", 0xF92F34C
    "oem erase-ddr-training-backup", 0xF92E3A8
    "oem bootmetrics", 0xF951D04
    "oem getvarp:", 0xF92E504
    "oem dmesg", 0xF92F2CC
    "oem mmchealth", 0xF933C40
    "oem console", 0xF92F638
    "oem clear-lal", 0xF92E494

    i have seen an interesting flow in the boot chain update (0xF938DB8) but i don't have high hopes on that since it later reboot the platform and will validate the signatures (that is already ok) but i'm still poking here and there..
    3
    i think that the "aboot" module is well written and no mistakes has been made in that module. meaning, this leave us with finding a bug 0day in the Qualcomm 808 TrustZone or to just exploit an existing bug in the Android Kernel.
    a ROM exploit is something that i didn't looked for since it's blindly needing to be exploit and investigated.

    so a Kernel Android exploit is the way to get the easiest root for now and this can be achieved on the original release of the Priv (without the new FW update) or when a new kernel bug will be out we can exploit as well the new FW update.

    i can build this exploit (for the old version of the Priv before the security patches) but the question is, how much this will be worth for you ?
    3
    Untethered root

    Add $20 bucks to it.