• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[DEV] Bootloader Signature Bypass

Search This thread

GSLEON3

Retired Senior Moderator
I am starting to get a feel again. I think what we have here is dkernel is installed to enable yaffs2 support. Then the tarball includes a not from flash micro os, thzat is booted to, taking control from the production bootloader, & the yaffs2 are written to allow the flash commands for fastboot. It is a pain because they seem to be using some TI pioneered tech alongside the Qualcomm SoC. The appsboot.mbn in the fwupdate tarball definitely contains some things stripped out of the flash meemory appsboot (emmc_appsboot.mbn). If you look at the duplicate files in fwupdate, it starts to make sense. It appears like they may be using a payload OS to handle updating.
 
  • Like
Reactions: EncryptedCurse

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,745
2,046
Lakeland, FL
r3pwn.com
I am starting to get a feel again. I think what we have here is dkernel is installed to enable yaffs2 support. Then the tarball includes a not from flash micro os, thzat is booted to, taking control from the production bootloader, & the yaffs2 are written to allow the flash commands for fastboot. It is a pain because they seem to be using some TI pioneered tech alongside the Qualcomm SoC. The appsboot.mbn in the fwupdate tarball definitely contains some things stripped out of the flash meemory appsboot (emmc_appsboot.mbn). If you look at the duplicate files in fwupdate, it starts to make sense. It appears like they may be using a payload OS to handle updating.
In the newer builds, they (Amazon) uses a binary (and a shell script) to blow anti-rollback qfuses. Have you looked at those?
 
  • Like
Reactions: jimyv

salvo22

Member
Nov 28, 2010
43
14
@r3pwn,

Thanks for the pointing me in that direction... With the 13.3.2.4 stock kernel I have a build of aosp lollipop 5.0.1 which now boots to some degree. Very early days yet but some progress. I now have adb access. I can see that in logcat services are starting up and then dying.

I can't see the boot animation yet because the video driver / surfaceflinger is not starting. First goal is to get that and full hw graphical support working.

Definitely a way forward :)

have unlocked the bootloader HDX 7 thor?:fingers-crossed:
 

Surge1223

Recognized Contributor
Nov 6, 2012
2,618
7,428
Florida
Is there still active work on this? I have made a loader for ida to load and decode bootloaders, I'm wondering if someone would be willing to test it on Kindle bootloaders. I'll push the source for the loader to git eventually but I want to make sure it works on bootloaders others than Samsungs implementations since Samsung alters their lk (aboot).

I would prefer to have someone who already has ida installed with ida python working.

Contact me directly on hangouts @ [email protected] if interested.

Thanks.
 
  • Like
Reactions: Grtschnk

dpeddi

Senior Member
Mar 10, 2007
206
133
The unlock command should be "fastboot flash unlock code.img" and check of the code.img should be vulnurable, too. I will release more details in the near future. I'm busier than anticipated at the moment.

I've just disassembled the emmc_appsboot.mbn ok 14.3.1.0 firmare.

As already discovered idme_write is called by fastboot oem relock, and "fastboot verify unlock unlock.img"

unlock.img should be signed, and should be vulnerable.

both store (or invalidate) unlock_code to idme.

Since idme is writable by firmware I think Cpasjuste issued

adb shell "idme unlock_code hash"

This don't need to be signed at all.

it should be interested if he can do a

adb shell idme print

it should print all idme variables and he can restore his raw unlock_code

The certificate should start at 0x38458 and is different from the cert for signing image

the value to encrypt should be formatted as 0x%02x%08x and the two parameter should be retrieved by mmc (perhaps mmc serial/ and some more)
 
Last edited:
  • Like
Reactions: EncryptedCurse

Antagonist42

Senior Member
Feb 5, 2012
682
248
49
Bolton
the "unlock_code" to be signed should be 0x%02x%08x mid (manufacture id), psn (production serial number)

mid = cat /sys/block/mmcblk0/device/manfid

psn = cat /sys/block/mmcblk0/device/serial

That makes more sense when I've found my mid for another device, was too many bytes long in total ;) I can recheck my old files now I can see what they may be :D

Bashing away at my HTC Desire C
 

XxD34THxX

Senior Member
Nov 3, 2014
1,057
148
Well, I'm to late. Sorry Surge, I had a lot of trouble with gmail last night and I came home at 12, I had work, then in 6 I wake up. Been a long week. BUT I shall do this act of putting a REAL ROM(custom BL and Kernal) on the HDX once a nightly is out. :D:D:D:D:D:D:D

I'd like to thank the people who do this for us and thank them for all of the hard work they have done.
 
Last edited:

ggow

Recognized Developer
Is there still active work on this? I have made a loader for ida to load and decode bootloaders, I'm wondering if someone would be willing to test it on Kindle bootloaders. I'll push the source for the loader to git eventually but I want to make sure it works on bootloaders others than Samsungs implementations since Samsung alters their lk (aboot).

I would prefer to have someone who already has ida installed with ida python working.

Contact me directly on hangouts @ [email protected] if interested.

Thanks.

Hi Surge1223, could I try your loader out?
 

EncryptedCurse

Senior Member
Jul 9, 2014
650
300
The bootloader is unlockable on FireOS 4 — at least on the HD 6 and 7. The OP even indicates that it's utilizing the very same RSA exploit from vortox and dpeddi.

It's got me wondering whether it still actually works on our devices as well, and people have been just avoiding trying due to the assumption.
 

vortox

Senior Member
Jan 20, 2012
50
132
The bootloader is unlockable on FireOS 4 — at least on the HD 6 and 7. The OP even indicates that it's utilizing the very same RSA exploit from vortox and dpeddi.

It's got me wondering whether it still actually works on our devices as well, and people have been just avoiding trying due to the assumption.

It's fixed in .3.2.4, so it's (probably) fixed in every higher version.

I wondered too. Those devices use MediaTek SoCs and the bug was in the Qualcomm bootloader. The bug was fixed on the HDX even before those tablets were announced, yet they are still vulnurable.
 
  • Like
Reactions: EncryptedCurse

ONYXis

Senior Member
Dec 7, 2013
436
328
Kyiv
@vortox, @dpeddi, friends, I previously asked about this...
Why I could not do something like this from a running system
Code:
adb shell dd if=/sdcard/images-from_3.2.3/sbl1.mbn of=/dev/block/.....
adb shell dd if=/sdcard/images-from_3.2.3/emmc_appsboot.mbn of=/dev/block/.....
adb shell dd if=/sdcard/images-from_3.2.3/rpm.mbn of=/dev/block/.....
adb shell dd if=/sdcard/images-from_3.2.3/tz.mbn of=/dev/block/.....
adb shell dd if=/sdcard/images-from_3.2.3/sdi.mbn of=/dev/block/.....
adb shell dd if=/sdcard/images-from_3.2.3/boot.img of=/dev/block/.....
adb reboot bootloader
unlock procedure
fastboot flash recovery twrp.img
How could blow fuse in this case?
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 25
    Merry Christmas!
    img_20141226_234209.jpg


    This is not an unlock

    I have been able to boot a custom TWRP . Using this exploit I crafted a signature that passes the check in the x.3.1.0 bootloader. I'm planning to release a tool the sign custom recoveries/boot images.
    13
    @vortox do you need help with programming ?

    Thank you for the offer, but the coding is done and I'm starting to write the guide for the tool :)
    12
    Hello @rbox,

    I have implemented a bootloader signature bypass and was wondering if you could help me verify my method.

    Because we know this works for the firetv, my plan is:

    1. You could send me one of your unsigned custom recoveries for firetv.
    2. I would then sign it and send it back to you to check it works.

    Hope you don't mind me contacting you this way.

    ggow
    12
    Just some small update: I'm almost done writing the signing application and I will probably release it before the new year.
    11
    Hi !

    The first signed recovery is there, thanks to @vortox for the exploit ! Please some experienced users test it :)

    Happy new year !

    http://forum.xda-developers.com/kindle-fire-hdx/development/recovery-twrp-2-8-1-0-thor-t2986004