DELETED

Status
Not open for further replies.
brokenworm

brokenworm

Senior Member
Jan 25, 2009
347
177
73
41
marsdroid.me
Aug 29, 2018 at 4:22 AM
AJsama said:
...well , anyone tell me what is this ?
Click to expand...
its a modifyed XBL bootloader... for now the security hole is enabled if you know what to do with the partition sde34 ...
ill build a image for the partition that wil make the secureboot frack up .. sp we can get rid of the stupid text on unlocked oem

it is not gonna happend in 1 day ... let me and others work on it
its a good start , and i DID try the files on my own ot5 before publishing it
:D
 
Last edited:
  • Like
Reactions: Macusercom, knedge, vkass and 3 others
T

tids2k

Senior Member
Apr 21, 2009
2,543
829
0
Sydney
Aug 29, 2018 at 11:16 AM
Wow @brokenworm this is amazing ! thanks. have you only tried this on oneplus bootloaders. I am sure thus could be worked up on other devices too. You should msg alephsecurity and tell them about this exploit so that they can furthur explore this. Thanks again :)
 
U

ussl

Senior Member
Jul 4, 2013
76
2
0
Hod Hasharon
Aug 29, 2018 at 1:24 PM
Just wanna make sure, is there a way to revert to the stock BL if I want to relock or something? (Just not sure whether or not OP have released a BL image or something like that)
 
A

AJsama

Senior Member
Dec 24, 2016
79
4
0
Aug 29, 2018 at 2:21 PM
brokenworm said:
its a modifyed XBL bootloader... for now the security hole is enabled if you know what to do with the partition sde34 ...
ill build a image for the partition that wil make the secureboot frack up .. sp we can get rid of the stupid text on unlocked oem

it is not gonna happend in 1 day ... let me and others work on it
its a good start , and i DID try the files on my own ot5 before publishing it
:D
Click to expand...
wow , coolll!:victory:
 
P

pillowsnyc

Senior Member
Jun 26, 2014
77
33
0
Aug 29, 2018 at 3:59 PM
Am I the only one that looked at the title and wondered what Xbox Live had to do with OnePlus :)

On topic: I look forward to Future releases based on this :) and other creative things can be done
 
S

Shad0wKn1ght93

Senior Member
Oct 25, 2013
55
19
0
Aug 29, 2018 at 5:55 PM
If this actually works, that'd mean that OnePlus somehow managed to knock out the signature verification of the bootloader. If you flash this on a properly provisioned retail device, you're just gonna brick it. You can't just modify random stuff in signed firmware images and expect them to work on retail hardware.
 

Attachments

brokenworm

brokenworm

Senior Member
Jan 25, 2009
347
177
73
41
marsdroid.me
Aug 29, 2018 at 6:19 PM
Shad0wKn1ght93 said:
If this actually works, that'd mean that OnePlus somehow managed to knock out the signature verification of the bootloader. If you flash this on a properly provisioned retail device, you're just gonna brick it. You can't just modify random stuff in signed firmware images and expect them to work on retail hardware.
Click to expand...
im ofcource rooted with magisk and have twrp installed

PBL comes before XBL "PBL the primary bootloader"

so u dont have to worry... and i WILL NOT publish anything before i have flashed it on my own phone first ...

currently iv managed to tick the 0x01 to 0x0 to make the security hole active.. default was 0x01

... SPLASH partition sde34 is currently NOT checked by either xbl or pbl even if u edited the partition sde34 and restored all to stock "also my XBL" it would start as normal .. niether red warning or orange ! i testet this !
i managed to edit the check meaning its disabled on that partition with a simple 0x0 and removed # to get it to respond to the ticks ! but surely u cannot run my XBL completly stock ONLY sde34 , its just not what we are doing here
we try to get the securityhole on sde34 to smash up the secboot ... sde34 is the way .. not my xbl , the xbl was to remove the rsa hashing / checks on the partition nothing else. so while we work on the explorit we use the xbl.. but im hoping someone takes it further and DOES make the xbl to do so carnage without the sde34

dont come tell me what i can and can not do.. were doing it anyways !
 
Last edited:
  • Like
Reactions: JackSparrow17
T

tfwboredom

Senior Member
Oct 21, 2012
57
59
0
Aug 29, 2018 at 7:47 PM
brokenworm said:
im ofcource rooted with magisk and have twrp installed

PBL comes before XBL "PBL the primary bootloader"

so u dont have to worry... and i WILL NOT publish anything before i have flashed it on my own phone first ...

currently iv managed to tick the 0x01 to 0x0 to make the security hole active.. default was 0x01

... SPLASH partition sde34 is currently NOT checked by either xbl or pbl even if u edited the partition sde34 and restored all to stock "also my XBL" it would start as normal .. niether red warning or orange ! i testet this !
i managed to edit the check meaning its disabled on that partition with a simple 0x0 and removed # to get it to respond to the ticks ! but surely u cannot run my XBL completly stock ONLY sde34 , its just not what we are doing here
we try to get the securityhole on sde34 to smash up the secboot ... sde34 is the way .. not my xbl , the xbl was to remove the rsa hashing / checks on the partition nothing else. so while we work on the explorit we use the xbl.. but im hoping someone takes it further and DOES make the xbl to do so carnage without the sde34

dont come tell me what i can and can not do.. were doing it anyways !
Click to expand...
Editing a text config file in this case is as much of a change as if I told you that I am using a OnePlus 7 just because I changed my build.prop to say that. Without compiling the bootloader with these changes in effect, it really isn't making a difference. Additionally as the person above me pointed out, if you were able to run a modified XBL I'd be very surprised. Did you actually try this?
 
  • Like
Reactions: Macusercom
S

Shad0wKn1ght93

Senior Member
Oct 25, 2013
55
19
0
Aug 29, 2018 at 8:08 PM
brokenworm said:
im ofcource rooted with magisk and have twrp installed

PBL comes before XBL "PBL the primary bootloader"

so u dont have to worry... and i WILL NOT publish anything before i have flashed it on my own phone first ...

currently iv managed to tick the 0x01 to 0x0 to make the security hole active.. default was 0x01

... SPLASH partition sde34 is currently NOT checked by either xbl or pbl even if u edited the partition sde34 and restored all to stock "also my XBL" it would start as normal .. niether red warning or orange ! i testet this !
i managed to edit the check meaning its disabled on that partition with a simple 0x0 and removed # to get it to respond to the ticks ! but surely u cannot run my XBL completly stock ONLY sde34 , its just not what we are doing here
we try to get the securityhole on sde34 to smash up the secboot ... sde34 is the way .. not my xbl , the xbl was to remove the rsa hashing / checks on the partition nothing else. so while we work on the explorit we use the xbl.. but im hoping someone takes it further and DOES make the xbl to do so carnage without the sde34

dont come tell me what i can and can not do.. were doing it anyways !
Click to expand...
You didn't "trick" anything. You used HexEdit to edit two bytes. In doing so you've invalidated the signature, and actually messed up the image itself, since you can't just randomly insert bytes into it. Proof is in the attachment. No way in hell this boots.

First attachment shows the terrible editing (removed the #, which breaks the parsing / added a byte later on that corrupts the entire image from thereon), second one the resulting corruption of the image as a result of the extra byte that he added.
 

Attachments

Last edited by a moderator:
  • Like
Reactions: dcillusions77, The_Wolf91, gleggie and 1 other person
Macusercom

Macusercom

Forum Moderator
Staff member
Sep 2, 2014
1,023
499
113
Vienna
christophgrubits.at
Aug 29, 2018 at 10:25 PM
Shad0wKn1ght93 said:
You didn't "trick" anything. You used HexEdit to edit two bytes. In doing so you've invalidated the signature, and actually messed up the image itself, since you can't just randomly insert bytes into it. Proof is in the attachment. No way in hell this boots.

First attachment shows the terrible editing (removed the #, which breaks the parsing / added a byte later on that corrupts the entire image from thereon), second one the resulting corruption of the image as a result of the extra byte that he added.
Click to expand...
Thanks for pointing that out! Seriously, why upload a dangerous ZIP file that could probably corrupt one person's bootloader. I myself have very little knowledge on how bootloaders work but the thing that I do know is that they are not easily editable without breaking tons of security mechanisms. Such easy edits would be the easiest way to go for hackers if it were true.
 
Last edited by a moderator:
the Doctor

the Doctor

Retired Senior Moderator
Dec 15, 2011
4,590
4,514
0
In the TARDIS
Aug 30, 2018 at 5:56 AM
THREAD CLEANED

Expressing differences of opinion on XDA is fine, even expected. Doing so with a rude, condescending tone and flaming others is not. Per the forum rules:
2.3 Flaming / Lack of respect: XDA is about sharing and this does not involve virtual yelling (flaming) or rudeness. Flaming or posting with a lack of respect is unacceptable. Treat new members in the manner in which you would like to have been treated when you were a new member. When dealing with any member, provide them with guidance, advice and instructions when you can, showing them respect and courtesy. Never post in a demanding, argumentative, disrespectful or self-righteous manner.

2.4 Personal attacks, racial, political and / or religious discussions: XDA is a discussion forum about certain mobile phones. Mobile phones are not racial, political, religious or personally offensive and therefore, none of these types of discussions are permitted on XDA.
Click to expand...
 
  • Like
Reactions: USHERROB, manjartens, brokenworm and 3 others
Status
Not open for further replies.

New posts

Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone