• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[DEV] Bootloader Signature Bypass

Search This thread

Tumbtack

Member
Jul 8, 2014
10
0
Excited!

You guys are doing incredibly work, and I cannot even begin to express my gratitude. Was just wondering though, can we expect to see an aosp lollipop ROM eventually with this? 5.0.3 is just around the corner!
 

epicfailol

Member
Jul 18, 2012
20
0
Wouldn't this be a pretty risky way of flashing roms? As far as I know you can't get into fastboot during the bootup so if you mess up a flash and the device becomes unbootable, it gets bricked
 

Demonoid111

Senior Member
Jan 19, 2014
95
15
I think its possible to enter recovery during the bootup process by pressing down on a key combo. From recovery, any possible brick could be fixed.
 

jimyv

Senior Member
Jan 31, 2012
583
188
central Indiana
well

Wouldn't this be a pretty risky way of flashing roms? As far as I know you can't get into fastboot during the bootup so if you mess up a flash and the device becomes unbootable, it gets bricked
just having root access on this device is dangerous..in the hands of the ignorant. This is just one step closer to getting us where we need to be.
 
  • Like
Reactions: notjoken958

D0ubl3_X

Senior Member
Dec 9, 2007
110
34
Stuttgart
@r3pwn

Now that we can finally boot custom kernels is it possible to read the unlock_code from IDME?
Or is the IDME storage location locked down after bootloader?

Maybe it's now possible to get a full unlock?
 

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,745
2,046
Lakeland, FL
r3pwn.com
@r3pwn

Now that we can finally boot custom kernels is it possible to read the unlock_code from IDME?
Or is the IDME storage location locked down after bootloader?

Maybe it's now possible to get a full unlock?
To be honest, I'm not sure. I have no idea. I don't even have this device, I'm just trying to help in every way possible. vortox helped me out with setting up the bootloader in IDA and if I see anything, I tell him.
 

gbgadgets

Senior Member
Feb 15, 2008
85
40
Chicago
LG V30
Google Pixel 5
@r3pwn

Now that we can finally boot custom kernels is it possible to read the unlock_code from IDME?
Or is the IDME storage location locked down after bootloader?

Maybe it's now possible to get a full unlock?

As far as I know, IDME is a binary in the system partition. The program can be executed with root privileges. If you simply run idme help from a adb root shell, you can see the allowable commands for the program (like idme print...which shows the current values of a specific list of parameters/flags/memory). However, I don't think IDME is part of the check for the unlock_code, I think it is used to 'write'(print) a value to the 'unlock_code' parameter/flag in memory. I think since root access was achieved, there has always been the option to 'brute-force' this to try and print a valid unlock_code, but I think that is nearly impossible. I don't think this current signature check related to writing the recovery partition has any impact on the unlock_code or formally unlocking the bootloader.

I have used idme to change the board_id and it seems to work just fine. I was looking into the factory_provision_tool binary as well as the scripts that are in /persist directory like 'blow_fuse.sh' and 'prov.sh'. All of this to no real avail in getting anywhere.

Knowing more details about what all @vortox found and did with the signature checking for writing recovery might add some clues as to whether the unlock code checking in the bootloader is still worth pounding away at.
 
  • Like
Reactions: EncryptedCurse

Cpasjuste

Senior Member
Jun 8, 2007
962
1,358
I think to remember when unlocking my device I used something like "fastboot oem unlock_idme #####". Unfortunately I do not have the logs anymore of the complete procedure.
 

vortox

Senior Member
Jan 20, 2012
50
132
I think to remember when unlocking my device I used something like "fastboot oem unlock_idme #####". Unfortunately I do not have the logs anymore of the complete procedure.

The unlock command should be "fastboot flash unlock code.img" and check of the code.img should be vulnurable, too. I will release more details in the near future. I'm busier than anticipated at the moment.
 

Cpasjuste

Senior Member
Jun 8, 2007
962
1,358
The unlock command should be "fastboot flash unlock code.img" and check of the code.img should be vulnurable, too. I will release more details in the near future. I'm busier than anticipated at the moment.
At least I can assure you this was not how mine was unlocked. Like I said it was unlocked via a fastboot oem command.
 

vortox

Senior Member
Jan 20, 2012
50
132
I can just remember he hasked for a few commands output then maybe built a hashed string with that which I think I entered via something like "fastboot oem unlock_idme 'hash'"

I've been looking at the .3.1.0 and the .3.2.4 bootloader and I have never seen an "oem unlock" command. There are 3 oem commands "oem device-info", "oem relock" and "oem idme". But to use "oem idme" you have to be unlocked.
Whereas "flash unlock code.img" works. This command checks the provided code and if correct writes it modified into idme.
 

Cpasjuste

Senior Member
Jun 8, 2007
962
1,358
I've been looking at the .3.1.0 and the .3.2.4 bootloader and I have never seen an "oem unlock" command. There are 3 oem commands "oem device-info", "oem relock" and "oem idme". But to use "oem idme" you have to be unlocked.
Whereas "flash unlock code.img" works. This command checks the provided code and if correct writes it modified into idme.
Well, I trust you more than my memory [emoji14]
 

GSLEON3

Retired Senior Moderator
I've been looking at the .3.1.0 and the .3.2.4 bootloader and I have never seen an "oem unlock" command. There are 3 oem commands "oem device-info", "oem relock" and "oem idme". But to use "oem idme" you have to be unlocked.
Whereas "flash unlock code.img" works. This command checks the provided code and if correct writes it modified into idme.

Have you x-referenced the dkernel image in later builds? The update process uses two separate boot images. Of course boot.img & dkernel.img.

This (if you have the patience to sift thru it) has some good insight & observations: http://forum.xda-developers.com/showthread.php?p=28828452 some of it is absolutely applicable. One of the things I started looking for were the bit indicators that sbl uses at boot to blow specific qfuses.

I believe that the key needed to access the bootloader in any meaningful way is a combination of things. The second boot image for one (dkernel), sbl & the NON-HLOS & of course the device ID in combination with a SHA256 hash. HOWEVER, if we can determine what fuses are blown on an unlocked device, then compare it to a locked device, we may be able to bypass it by loading the qfuse params as part of an update package, if the pertinent parts can be resigned.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 25
    Merry Christmas!
    img_20141226_234209.jpg


    This is not an unlock

    I have been able to boot a custom TWRP . Using this exploit I crafted a signature that passes the check in the x.3.1.0 bootloader. I'm planning to release a tool the sign custom recoveries/boot images.
    13
    @vortox do you need help with programming ?

    Thank you for the offer, but the coding is done and I'm starting to write the guide for the tool :)
    12
    Hello @rbox,

    I have implemented a bootloader signature bypass and was wondering if you could help me verify my method.

    Because we know this works for the firetv, my plan is:

    1. You could send me one of your unsigned custom recoveries for firetv.
    2. I would then sign it and send it back to you to check it works.

    Hope you don't mind me contacting you this way.

    ggow
    12
    Just some small update: I'm almost done writing the signing application and I will probably release it before the new year.
    11
    Hi !

    The first signed recovery is there, thanks to @vortox for the exploit ! Please some experienced users test it :)

    Happy new year !

    http://forum.xda-developers.com/kindle-fire-hdx/development/recovery-twrp-2-8-1-0-thor-t2986004