[WORK IN PROGRESS] Unlocking Motorola Defy Mini XT320 and Fire XT530 bootloader

Search This thread

rootdefyxt320

Senior Member
Oct 4, 2012
488
440
Sydney, NSW
I've recently read on how Dan Rosenberg unlocked the bootloader on Motorola Phones with Qualcomm chipsets. I'm pretty sure this exploit exists in the Motorola Fire XT530 and Motorola Defy Mini XT320.
http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

Chipset Specification:
Motorola Fire XT530- Qualcomm MSM7227-T, 800MHz ARM11, Adreno 200 GPU
Motorola Defy Mini XT320- Qualcomm MSM7225A-1, 600MHz ARM Cortex-A5, Adreno 200 enhanced GPU

I have decided to combine the unlocking of Motorola Fire XT530 and Motorola Defy Mini XT320 bootloaders in one place as there are more experienced developers in C++ in Motorola Fire XT530 users than the Defy Mini XT320 users so we can help each other.

I've done the initial work of dumping appsbootsec.mbn from the Motorola Fire XT530 sbf and the Motorola Defy Mini XT320 sbf.
Now it requires the work of using Interactive Disassembler to locate the QFuse addresses but unfortunately I don't know how to use it so I can't disassemble appsbootsec.mbn
@djrbliss if you have time to read this thread and help us users to try and use Interactive Disassembler, this would be greatly appreciated.

Here's the link to the memory addresses for Motorola Defy Mini XT320:
http://www.droidevelopers.com/f412/13117-defy-mini-xt320-tinboost-memory-map.html

The sbf files that I've used to extract appsbootsec.mbn:
Motorola Fire XT530: DMP-4480-0-4017-A01_RFM.sbf
Motorola Defy Mini XT320: TNBST_4_0A.1F.10RPS_flex_WE_Retail_CEE_v2.sbf

All these sbf files have fastboot support.

At the bottom, I have attached appsbootsec.mbn from the prerequisite phones.

Guys please don't ask for an ETA or when the bootloader is going to be unlocked as this depends on time.
@Bernd.Defy I've uploaded the rest of the Bootloader Files, would you please take a view of it using a hex viewer thanks.
 
Last edited:

Bernd.Defy

Senior Member
Feb 1, 2013
82
46
Hmmm... watched the mbns - i see no messages like mentiond in the blogpost. Also the string "get_unlock_data" is not found.

So I think the method posted in the blog only works on phones with the option to unlock the bootloader via some token, as the hack hooks into the function to check the validity of the token and then always returns true.

Maybe i'm wrong (hope so).

Regards,
Bernd
 
  • Like
Reactions: rootdefyxt320

rootdefyxt320

Senior Member
Oct 4, 2012
488
440
Sydney, NSW
Hmmm... watched the mbns - i see no messages like mentiond in the blogpost. Also the string "get_unlock_data" is not found.

So I think the method posted in the blog only works on phones with the option to unlock the bootloader via some token, as the hack hooks into the function to check the validity of the token and then always returns true.

Maybe i'm wrong (hope so).

Regards,
Bernd

Did you use the interactive disassembler to open appsbootsec.mbn? I was wondering what program you used to view appsbootsec.mbn
 
  • Like
Reactions: s27moto

Guitwo2

Senior Member
Jul 17, 2012
285
75
Marseille
He's been busy studying for his PhD these days so he doesn't have time. He will help us after he gets his PhD. :)

e65.gif
 

dmddmd

Member
Jun 29, 2012
13
3
some ideas for custom kernel/recovery

Hi all!

After some digging in xt320's bootloader binary, i found out that our phone uses (L)ittle (K)ernel bootloader (aka LK bootloader). And after some googleing i found 2 vulnerabilities for this bootloader that i believe still exists in our defy minis (defy mini is pre-2014 phone).

first one is this one
(CVE-2014-0973)
h**ps://www.codeaurora.org/projects/security-advisories/incomplete-signature-parsing-during-boot-image-authentication-leads-to-signature-forgery-cve-2014-0973

it's not a bootloader unlock, but it is about boot/recovery image signature forge (signing boot/kernel/receovery image so bootloader accepts it). it's already used on Kindle Fire HDX and there is a tool that signs boot and recovery image for Kindle Fire HDX. h**p://www.xda-developers.com/signing-tool-for-kindle-fire-hdx-hacks-bootloader/

Also, there is one more exploit, but i didn't find many information on it - CVE-2014-0974
h**p://www.cvedetails.com/cve/CVE-2014-0974/
if i understand correctly, when bootloader loads image header into RAM to verify signature, it can be manipulated to load into bootloader's memory where motorola certificate/signature is located and overwrite it so it appears to bootloader that boot image signature and bootloaders "new" signature are correct.

With these exploits there is no need to unlock bootloader to have custom kernel and recovery flashed on phone.
If anyone has knowledge and time to investigate this, it would be very nice..i think the first way of forging signature is easyer and the tool they made for kindle fire is easily adapted to sign defy mini's images.
 

dmddmd

Member
Jun 29, 2012
13
3
small update:
finally got some time to test application from this link - cuber - h**ps://github.com/dpeddi/Cuber on @rootdefyxt320 's kernel..after signing the boot.img, it can be succesfully flashed with fastboot, but it ends in brick (recoverable with rsd-lite)...
 
  • Like
Reactions: rootdefyxt320

Top Liked Posts

  • There are no posts matching your filters.
  • 13
    I've recently read on how Dan Rosenberg unlocked the bootloader on Motorola Phones with Qualcomm chipsets. I'm pretty sure this exploit exists in the Motorola Fire XT530 and Motorola Defy Mini XT320.
    http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

    Chipset Specification:
    Motorola Fire XT530- Qualcomm MSM7227-T, 800MHz ARM11, Adreno 200 GPU
    Motorola Defy Mini XT320- Qualcomm MSM7225A-1, 600MHz ARM Cortex-A5, Adreno 200 enhanced GPU

    I have decided to combine the unlocking of Motorola Fire XT530 and Motorola Defy Mini XT320 bootloaders in one place as there are more experienced developers in C++ in Motorola Fire XT530 users than the Defy Mini XT320 users so we can help each other.

    I've done the initial work of dumping appsbootsec.mbn from the Motorola Fire XT530 sbf and the Motorola Defy Mini XT320 sbf.
    Now it requires the work of using Interactive Disassembler to locate the QFuse addresses but unfortunately I don't know how to use it so I can't disassemble appsbootsec.mbn
    @djrbliss if you have time to read this thread and help us users to try and use Interactive Disassembler, this would be greatly appreciated.

    Here's the link to the memory addresses for Motorola Defy Mini XT320:
    http://www.droidevelopers.com/f412/13117-defy-mini-xt320-tinboost-memory-map.html

    The sbf files that I've used to extract appsbootsec.mbn:
    Motorola Fire XT530: DMP-4480-0-4017-A01_RFM.sbf
    Motorola Defy Mini XT320: TNBST_4_0A.1F.10RPS_flex_WE_Retail_CEE_v2.sbf

    All these sbf files have fastboot support.

    At the bottom, I have attached appsbootsec.mbn from the prerequisite phones.

    Guys please don't ask for an ETA or when the bootloader is going to be unlocked as this depends on time.
    @Bernd.Defy I've uploaded the rest of the Bootloader Files, would you please take a view of it using a hex viewer thanks.
    2
    some ideas for custom kernel/recovery

    Hi all!

    After some digging in xt320's bootloader binary, i found out that our phone uses (L)ittle (K)ernel bootloader (aka LK bootloader). And after some googleing i found 2 vulnerabilities for this bootloader that i believe still exists in our defy minis (defy mini is pre-2014 phone).

    first one is this one
    (CVE-2014-0973)
    h**ps://www.codeaurora.org/projects/security-advisories/incomplete-signature-parsing-during-boot-image-authentication-leads-to-signature-forgery-cve-2014-0973

    it's not a bootloader unlock, but it is about boot/recovery image signature forge (signing boot/kernel/receovery image so bootloader accepts it). it's already used on Kindle Fire HDX and there is a tool that signs boot and recovery image for Kindle Fire HDX. h**p://www.xda-developers.com/signing-tool-for-kindle-fire-hdx-hacks-bootloader/

    Also, there is one more exploit, but i didn't find many information on it - CVE-2014-0974
    h**p://www.cvedetails.com/cve/CVE-2014-0974/
    if i understand correctly, when bootloader loads image header into RAM to verify signature, it can be manipulated to load into bootloader's memory where motorola certificate/signature is located and overwrite it so it appears to bootloader that boot image signature and bootloaders "new" signature are correct.

    With these exploits there is no need to unlock bootloader to have custom kernel and recovery flashed on phone.
    If anyone has knowledge and time to investigate this, it would be very nice..i think the first way of forging signature is easyer and the tool they made for kindle fire is easily adapted to sign defy mini's images.
    2
    He's been busy studying for his PhD these days so he doesn't have time. He will help us after he gets his PhD. :)

    e65.gif
    1
    Great! Hope it will work.. :good:
    1
    small update:
    finally got some time to test application from this link - cuber - h**ps://github.com/dpeddi/Cuber on @rootdefyxt320 's kernel..after signing the boot.img, it can be succesfully flashed with fastboot, but it ends in brick (recoverable with rsd-lite)...
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone