Hardware Hacks

[aliasxerog]

Can you guys help do some research on the encryption hardware and possibly how to disable it? Anything from technical documentation to possible helpful forum posts will do.

 

[snwboard333]

idk if this will do you any good because its for the atrix and not the droid X but as far as i know they both use the same locked bootloader.
[DEVS ONLY] Crack/bypass/trick Boot.img Signature - xda-developers
they have bounced tons of ideas back and forth in that thread. Could help

 

[jthompson]

How about the bootloader from the xoom? just a idea

 

[aliasxerog]

Well we can't flash a new bootloader without the device being unlocked. That's where the idea of having a hardware hack to unlock it came from.

 

[ahC_hED]

Could a secondary 'homemade-ish' bootloader be bootstrapped to bypass the signed bootloader?

Sent from my jtagged Droid2

 

[bladearrowney]

putting a homemade-ish bootloader onto a moto phone was a trick used back in the day on the old V3 RAZR phones, there was a trick to get the bootloader to allow a downgrade to a modified version that had RSA removed and allowed, among other things, unlocking of the baseband. However, I'm pretty sure the encryption has moved on into bigger and badder systems, so while the same may be possible on the DX bootloader, implementing it has so far eluded everyone involved (or we all are just looking in the wrong places). Has anyone tried something similar to what was done back in the day, ie exploiting the RAMLOADER used in RSD Lite to trick the phone into allowing us to do things that we shouldn't be?

http://www.fidalgo.net/~grubwerm/SU Ramldr and Motorola E815 RamLoader Hack/README_SU.TXT

 

[bladearrowney]

I forgot something else, another trick we used to use on other motorola models (up until around the V9 where the game changed a bit) was to make use of "test point" locations on the physical pcb, which when shorted would result in the phone dropping into a "blank" mode when powered on, allowing bypass of all security entirely. Used to use this method to unlock the V3re and several other models back in the day. Problem with that is that this method generally applied to GSM phones, I never saw TP methods for CDMA devices. However, given that there was never much need to get around the encryption on older cdma devices, it was probably never fully explored or went poorly documented. Knowing moto, there is probably a similar method. Finding it though would be an entirely different story. First, we'd have to reverse engineer a schematic, etc, etc, etc... not to mention find someone with a MB810 or A955 board they are willing to donate to science.

 

[bladearrowney]

Well we can't flash a new bootloader without the device being unlocked. That's where the idea of having a hardware hack to unlock it came from.

technically incorrect, we can't flash a bootloader that is not properly signed. I can readily flash between D2.35 and D2.37 at will on my D2 without any issues. However, I have no experience in decompiling the binary to modify it, no experience in resigning it (which would probably require signing keys that we don't have), and no experience in attempting communication with the bootloader to probe for a potential exploit.

However, that's where my previous comments come in, looking at what's been done in the past with manipulation of the RAMLOADER or as you said, via a hardware hack (most likely in the form of a test point in need of some grounding) we might find some success...

 

[d_vs_Goliath]

First, we'd have to reverse engineer a schematic, etc, etc, etc... not to mention find someone with a MB810 or A955 board they are willing to donate to science.

I have a DX that's gone in the water. It wont do much of anything really but if it will help I will give it to the cause...

 

[Perk27]

I've got a extra one with a broke screen collecting dust, id be glad to donate to the cause.

RTR