maybe we can get the key

RnD_Solo

Member
Joined
Aug 16, 2010
Messages
170
Reaction score
0
Ok, so when verizon sends down 2.2....how does it work...doesnt it flash a new rom??? or is it just a bunch of files and OS type stuff?

anyways, i was under the assumption that to load 2.2, then wouldnt they have to access the bootloader?? and if they need to access the bootloader, then wont have to send the key with it? and wouldnt it be in like the first part of the code?/


anyways, i could be totally off base here, but ...w/e lol
 

bitter

Member
Joined
Jan 18, 2010
Messages
613
Reaction score
0
Dude, I didn't understand a word of what you just said.
 

Tallica

Premium Member
Premium Member
Rescue Squad
Joined
Mar 17, 2010
Messages
3,259
Reaction score
1
Location
Middleboro, MA
Ok, so when verizon sends down 2.2....how does it work...doesnt it flash a new rom??? or is it just a bunch of files and OS type stuff?

anyways, i was under the assumption that to load 2.2, then wouldnt they have to access the bootloader?? and if they need to access the bootloader, then wont have to send the key with it? and wouldnt it be in like the first part of the code?/


anyways, i could be totally off base here, but ...w/e lol

Logically that makes sense. they call the official update "signed" IF someone could resign a custom Rom it could work
 

xlivewire7x

Member
Joined
Jul 19, 2010
Messages
127
Reaction score
0
Location
Lincoln University, PA
Yea it does seem logical but I really doubt it's that simple. I'm sure the code for the key is somewhere in there but I doubt they'd make it very easy to find. Who knows though, a lot of the Droid X hackers have been doing some pretty amazing stuff.
 
OP
R

RnD_Solo

Member
Joined
Aug 16, 2010
Messages
170
Reaction score
0
well..it wouldnt hurt to look right?

so basically we need a way to capture the file you download during the OTA update...which, im assuming, shouldnt be to hard with a rooted phone..

but the trick i guess would be to stop the OTA update from automatically installing and resetting the phone before you had a chance to export it.

or maybe we can get someone who does instore software updates for a verizon store to get us a copy...somehow.

i really wish i better understood how all this worked. im trying to find a soft spot SOMEWHERE
 
OP
R

RnD_Solo

Member
Joined
Aug 16, 2010
Messages
170
Reaction score
0
Yea it does seem logical but I really doubt it's that simple. I'm sure the code for the key is somewhere in there but I doubt they'd make it very easy to find. Who knows though, a lot of the Droid X hackers have been doing some pretty amazing stuff.


honestly, i dont think 256 random characters in a string would be to hard to find..we wont know though unless we can see the file.
 

fwaggle

Member
Joined
Aug 12, 2010
Messages
38
Reaction score
0
That's not how code signing works - likely the BIOS or something similar on the phone has the public key with which to verify the authenticity of the software. It's called a public key for a reason - it's of absolutely no benefit to you to acquire it.

For the code-signing to work, they don't have to send the private key with the code... again, it's called a private key for a reason. It's kept somewhere, probably under pretty tight security at a motorola lab someplace.

So no, unless Motorola really screwed the pooch, there will be nothing in the update data of any use to beating that pesky boot loader - certainly not the private key.
 
OP
R

RnD_Solo

Member
Joined
Aug 16, 2010
Messages
170
Reaction score
0
That's not how code signing works - likely the BIOS or something similar on the phone has the public key with which to verify the authenticity of the software. It's called a public key for a reason - it's of absolutely no benefit to you to acquire it.

For the code-signing to work, they don't have to send the private key with the code... again, it's called a private key for a reason. It's kept somewhere, probably under pretty tight security at a motorola lab someplace.

So no, unless Motorola really screwed the pooch, there will be nothing in the update data of any use to beating that pesky boot loader - certainly not the private key.

ok, so then how are they gonna unlock the bootloader so they can load the new rom???

they have to unlock it somehow, we just need to copy whatever that somehow is


edit..

ok so i think i get what your saying..

so is the so im assuming the ota update is gonna come down encytped as well?
 

fwaggle

Member
Joined
Aug 12, 2010
Messages
38
Reaction score
0
ok, so then how are they gonna unlock the bootloader so they can load the new rom???

they have to unlock it somehow, we just need to copy whatever that somehow is


edit..

ok so i think i get what your saying..

so is the so im assuming the ota update is gonna come down encytped as well?

I don't know if it'll come over the wire encrypted or not - but I believe it doesn't have to be. My understanding of the DroidX hardware is very limited, and my understanding of crypto is by no means exhaustive, but it's my understanding that code doesn't have to be encrypted to be signed.

Basically what happens is you have a public and private key for code signing purposes (you can use the same thing for message authentication, it's my understanding that code signing is just a specific type of message authentication - message authentication basically just means a method of telling with a reasonable level of certainty that a message came from a specific person and hasn't been tampered with). The public key is derived from the private key in such a fashion that it's mathematically trivial to check that a message is also derived from the private key, but mathematically difficult to derive the private key from either the message or the public key.

The public key is likely stored in some part of "real ROM" - that is actual read-only-memory as opposed to the bit we clobber when we want to put a new OS on - perhaps in the BIOS or something similar (heck it may even be literally "on-chip", given that there's much hooha about this whole "eFuse" thing), I honestly have no idea... I'm not familiar with the architecture of these phones at all. The boot process probably works something like the BIOS looks up the boot loader, confirms it's signed by Motorola, and then executes it. The boot loader then probably searches for the kernel and other things it needs to boot the OS, checking at least the kernel to see if it's signed as well.

By using a digital signature instead of a hash (which I think is where you were thinking, that Motorola must have some OTA way of updating the hash that hackers could exploit to get the loader to accept their own kernels), all they have to do is push out another kernel that's also signed by the same key. The boot loader will happily accept any code that's signed in this way, and there's no privileged operation necessary on the phone. The privileged operation happens back in Moto's lab, the signing of the code with their private key - either you have the private key to sign your kernel or you don't.

Cracking the key is practically impossible. Yes, if the key resides in the first few (relatively speaking, like there are a "few" stars in the sky!) tries you could get lucky... but like I posted on another forum, you'd have better odds of getting everyone together and each buying lottery tickets, and then if someone wins, using the money to bribe someone at Motorola to give you a copy of the key.

Now of course that's not to say that there aren't ways to side-track the boot-loader, which I think is what the guys are tampering with (and may be how they did the custom recovery thing)... but anyway, like someone else posted on another android forum, at this point you'll have better chances working with the boot loader than against it.

For all intents and purposes though, the OTA 2.2 update probably isn't going to be of any use to cracking the device wide-open, unless in the process of them doing the update they introduce a bug in the boot loader which can be leveraged to convince it to run an unsigned kernel. Again, I'm not familiar with the X's boot process, but I imagine they don't necessarily have to touch the boot loader - just push another kernel + android userland and call it a day.
 
OP
R

RnD_Solo

Member
Joined
Aug 16, 2010
Messages
170
Reaction score
0
ok, so then how are they gonna unlock the bootloader so they can load the new rom???

they have to unlock it somehow, we just need to copy whatever that somehow is


edit..

ok so i think i get what your saying..

so is the so im assuming the ota update is gonna come down encytped as well?

I don't know if it'll come over the wire encrypted or not - but I believe it doesn't have to be. My understanding of the DroidX hardware is very limited, and my understanding of crypto is by no means exhaustive, but it's my understanding that code doesn't have to be encrypted to be signed.

Basically what happens is you have a public and private key for code signing purposes (you can use the same thing for message authentication, it's my understanding that code signing is just a specific type of message authentication - message authentication basically just means a method of telling with a reasonable level of certainty that a message came from a specific person and hasn't been tampered with). The public key is derived from the private key in such a fashion that it's mathematically trivial to check that a message is also derived from the private key, but mathematically difficult to derive the private key from either the message or the public key.

The public key is likely stored in some part of "real ROM" - that is actual read-only-memory as opposed to the bit we clobber when we want to put a new OS on - perhaps in the BIOS or something similar (heck it may even be literally "on-chip", given that there's much hooha about this whole "eFuse" thing), I honestly have no idea... I'm not familiar with the architecture of these phones at all. The boot process probably works something like the BIOS looks up the boot loader, confirms it's signed by Motorola, and then executes it. The boot loader then probably searches for the kernel and other things it needs to boot the OS, checking at least the kernel to see if it's signed as well.

By using a digital signature instead of a hash (which I think is where you were thinking, that Motorola must have some OTA way of updating the hash that hackers could exploit to get the loader to accept their own kernels), all they have to do is push out another kernel that's also signed by the same key. The boot loader will happily accept any code that's signed in this way, and there's no privileged operation necessary on the phone. The privileged operation happens back in Moto's lab, the signing of the code with their private key - either you have the private key to sign your kernel or you don't.


Cracking the key is practically impossible. Yes, if the key resides in the first few (relatively speaking, like there are a "few" stars in the sky!) tries you could get lucky... but like I posted on another forum, you'd have better odds of getting everyone together and each buying lottery tickets, and then if someone wins, using the money to bribe someone at Motorola to give you a copy of the key.

Now of course that's not to say that there aren't ways to side-track the boot-loader, which I think is what the guys are tampering with (and may be how they did the custom recovery thing)... but anyway, like someone else posted on another android forum, at this point you'll have better chances working with the boot loader than against it.

For all intents and purposes though, the OTA 2.2 update probably isn't going to be of any use to cracking the device wide-open, unless in the process of them doing the update they introduce a bug in the boot loader which can be leveraged to convince it to run an unsigned kernel. Again, I'm not familiar with the X's boot process, but I imagine they don't necessarily have to touch the boot loader - just push another kernel + android userland and call it a day.


see that is the part that confuses me...i dont understand why we cant find and copy the digital sig...especially if the OTA update isnt encrypted...

im sorry, i know your explaining it to the best of your ability, and i generally understand how encrypting emails work,s im just not understanding how its being implemented here.

if the kernal is signed...then shouldnt we be able to capture the kernal, tweak it, and send it back up? ...on another note, can we access the Kernal now thru root?
 

sriehl

New Member
Joined
Jul 25, 2010
Messages
4
Reaction score
0
The public/private key works like this:

in these examples, you can usually interchange encrypt and sign

I generates a public key and a private key.
I give my public key to everyone, post it on the net, etc.
I keep my private key extremely safe.

These two keys are a pair, but if you only have one key (public key), there is no way you can generate/crack/figure out what the private key is.

I have a file I want to 'sign' and give to the world.
I 'sign' it with my private key
anyone that has my public key can verify that the file has not been changed since I signed it.

Now, motorola does this:
- take the public key, and burn that into the phone, there is no reason this should ever change
- when a release is ready, sign it with the private key, then give the file to everyone (ie OTA)
- anyone that has the public key, can verify the signature
- your phone starts to boot, it checks the signature (from the private key) against the public key it already knows.
- if the file verifies, boot up the phone with it.


for a more in-depth example and further explanation, check out the public key encryption page on wikipedia: http://en.wikipedia.org/wiki/Public-key_cryptography
 
OP
R

RnD_Solo

Member
Joined
Aug 16, 2010
Messages
170
Reaction score
0
ok...i got that..

but whats to stop us from taking the file sent down, and seperating the private key from the OS????.... Unless the private key is sent over the air and not with the file... in either case you should be able to capture it. now if the entire file is encrypted, it would make sense that the first 256 characters or the last 256 would be it. i dont think you could write to bootloader to deviate from first or last sets characters.
 

fwaggle

Member
Joined
Aug 12, 2010
Messages
38
Reaction score
0
ok...i got that..

but whats to stop us from taking the file sent down, and seperating the private key from the OS????.... Unless the private key is sent over the air and not with the file... in either case you should be able to capture it. now if the entire file is encrypted, it would make sense that the first 256 characters or the last 256 would be it. i dont think you could write to bootloader to deviate from first or last sets characters.

sriehl pretty much nailed it, and you missed it. :p

The private key almost certainly isn't sent to the phone. The public key is sufficient for any user (or phone, in this case) to verify that the person who sent the message (or kernel in this case) is in possession of the private key, and that it hasn't been touched. The BIOS (or whatever it's called inside the DroidX) probably does this check on the boot loader at every boot, and then the bootloader probably in turn does it to the kernel at every boot. At no point does either check need to see the private key to discern that the person who signed the ROM must have had it, so there's no reason the private key would come down OTA (in fact the public key will probably not come down either, it's likely built into eFuse on every phone already).

This might help a little more, though it's a good bit more long-winded than I am (and that's saying something): Digital signature - Wikipedia, the free encyclopedia

Hope that helps.
 
Top