***This is not a bootloader unlock. This is only a discussion about a possible bootloader unlock***
So I've been following this blog for the past couple of weeks. The owner of the blog describes an exploit to run arbitrary code in trustzone kernel in msm8974 chipsets (post1, post2, post3).
Trustzone is responsible for stuff like android keystore, decoding audio and video with DRM and has absolute control over every bit of hardware inside the chipset.
Most importantly the Qfuses checked by the bootloader to determine if it's unlocked or not.
Now, I've been looking at the deassemblies of trustzone images extracted from firmware versions 4.3.6, 3.5 AT&T, 3.6.2T-MobileDE.
The bug caused this exploit is in fact fixed in firmware 4.6.3. I didn't test 4.6.1 because probably it is fixed.
Anyway, In firmware versions 3.5 and 3.6.2 the bug is still present. Meaning that we would probably be able to run arbitrary code on the devices with old firmware, or if we can downgrade our phones to 3.6.2 firmware.
The first problem we have is, the exploit needs a slight kernel driver modification to run. (that is if we are not going to use his "zero write primitive" to blow a Qfuse).
But in our devices we can't even boot a custom kernel! (fastboot kernel hotbooting complain even if you pass a signed boot image, saying "boot not allowed in locked HW").
So we might need to find a way to use "kexec" to hotswap a kernel at runtime. Which in turn might need a modified kernel module to be loaded.
We still don't know if we can load unsigned kernel modules to the stock kernel.
The next problem is to find the correct Qfuse to blow, If we blow a wrong one, We can say our device goodbye.
This would need an analysis of aboot partition image (emmc_appsboot.mbn) to find which Qfuse aboot check for bootloader unlocked. (take a look here to know more about this)
So a very simple outline of what we have to do is,
1)Find a way to downgrade to firmware/trustzone 3.6.2
2)Get kexec to run a custom kernel
3)Run the trustzone exploit to blow the correct Qfuse
Now, I'm not very good at reverse engineering stuff since I'm still a newbie, I need help from everyone.
Reply if you have any ideas and contributions. :) any kind of feedback is appreciated.
So I've been following this blog for the past couple of weeks. The owner of the blog describes an exploit to run arbitrary code in trustzone kernel in msm8974 chipsets (post1, post2, post3).
Trustzone is responsible for stuff like android keystore, decoding audio and video with DRM and has absolute control over every bit of hardware inside the chipset.
Most importantly the Qfuses checked by the bootloader to determine if it's unlocked or not.
Now, I've been looking at the deassemblies of trustzone images extracted from firmware versions 4.3.6, 3.5 AT&T, 3.6.2T-MobileDE.
The bug caused this exploit is in fact fixed in firmware 4.6.3. I didn't test 4.6.1 because probably it is fixed.
Anyway, In firmware versions 3.5 and 3.6.2 the bug is still present. Meaning that we would probably be able to run arbitrary code on the devices with old firmware, or if we can downgrade our phones to 3.6.2 firmware.
The first problem we have is, the exploit needs a slight kernel driver modification to run. (that is if we are not going to use his "zero write primitive" to blow a Qfuse).
But in our devices we can't even boot a custom kernel! (fastboot kernel hotbooting complain even if you pass a signed boot image, saying "boot not allowed in locked HW").
So we might need to find a way to use "kexec" to hotswap a kernel at runtime. Which in turn might need a modified kernel module to be loaded.
We still don't know if we can load unsigned kernel modules to the stock kernel.
The next problem is to find the correct Qfuse to blow, If we blow a wrong one, We can say our device goodbye.
This would need an analysis of aboot partition image (emmc_appsboot.mbn) to find which Qfuse aboot check for bootloader unlocked. (take a look here to know more about this)
So a very simple outline of what we have to do is,
1)Find a way to downgrade to firmware/trustzone 3.6.2
2)Get kexec to run a custom kernel
3)Run the trustzone exploit to blow the correct Qfuse
Now, I'm not very good at reverse engineering stuff since I'm still a newbie, I need help from everyone.
Reply if you have any ideas and contributions. :) any kind of feedback is appreciated.
Aucun commentaire:
Enregistrer un commentaire