Possible Ways to Crack the Bootloader

aliasxerog

Premium Member
Premium Member
Developer
Joined
Oct 24, 2010
Messages
178
Reaction score
0
I'm going to be taking a break on actual programming because I want to work on getting the bootloader unlocked. I will be getting those god damn keys sooner or later. That being said I need idea on how to do this. Throw them up here, with links to research.
 
To be honest, if the efuse works the way I believe, you're not going to crack it short of a motorola leak.

From what I've been able to find, the efuse is a one time programmable key. There is absolutely no reprogramming this. That leaves properly signing a replacement image as the only work around. Unfortunately, there isn't any way to readily glean that info from what we have to work with.

As a disclaimer, I'm half talking out of my ass here. But again, from all the info I've been able to locate, you're going to need someone at moto to release that info.

I know that's not very helpful, and man, it'd be nice to see happen, but I'd hate to see you sink a bunch of time all for naught.
 
I don't know anything on the subject, but wanted to say thank god someone is taking this attitude. I've been doing every kind of google search I can think of trying to find useful info for you guys as far as drivers and whatnot, but am just not smart enough (yet) to know what I'm looking for (hitting up the library for some tech books later today to start educating myself on some of this stuff).

Guess I really just want to say thanks for not giving up and continuing to fight the good fight. The community appreciates it.

Sent from my DROIDX using DroidForums App
 
I don't know anything on the subject, but wanted to say thank god someone is taking this attitude. I've been doing every kind of google search I can think of trying to find useful info for you guys as far as drivers and whatnot, but am just not smart enough (yet) to know what I'm looking for (hitting up the library for some tech books later today to start educating myself on some of this stuff).

Guess I really just want to say thanks for not giving up and continuing to fight the good fight. The community appreciates it.

Sent from my DROIDX using DroidForums App

I agree 100% sir. Alias, the entire community is behind you and wants this to happen.we will do what we can to give u any info. Give it some time. It will come.
I also am not a very knowledgeable person on the actual workings of the bootloader. But I am total up to help test. Ive tested the original ipod touch 2g tethered jailbreaks and whatnot so im always down to give back to the community in any way I can. :) once again, thank you for fighting the good fight and keeping the hopes and dreams of many alive.

Sent from my DROIDX using DroidForums App
 
-The way you are doing it now, we just need drivers now?
-Find a way to pull the codes from a device or SBF file.
-Find a way to edit an SBF file to accept changes
-Pass around a petition to get the codes from Motorola.
-Look into other Motorola devices (Xoom, D1) see if there is anything useful there.

...That's all I can think of.
 
I've read that the keys are RSA2048 encrypted and i've also read that recently the RSA keys were cracked. If somehow it gets how how RSA was cracked would be able to crack the keys on the eFuse?
 
-The way you are doing it now, we just need drivers now?
-Find a way to pull the codes from a device or SBF file.
-Find a way to edit an SBF file to accept changes
-Pass around a petition to get the codes from Motorola.
-Look into other Motorola devices (Xoom, D1) see if there is anything useful there.

...That's all I can think of.

Ill kill your points 1 by 1 for ya...

Need the drivers for a kexec module, not a standard droid kernel.
Been tried, as far as I know the codes aren't in there because as I understand it the sbf file doesn't touch the bootloader.
Pretty sure that's been tried for a while now....
Xoom and d1 aren't really going to be helpful because they're already unlocked. Locked droids wont help because they're all encrypted the same way as I understand.

Don't mean to be a spoil sport or anything, just most things have already been tried.

Sent from my Liberated D2G
 
If the bootloader was simply "locked" all you would need would be the key, but since they are encrypted you will need to figure out what algorithm is used to create new keys as well as having an original key to use the algorithm with...

I don't think it'll ever be cracked.. and the only people to blame are the tethering abusers... I don't think MOTO would've paid to develop the encryption unless the carriers put them up to it, and the only reason they would've blocked that is to stop tethering, since that's the only for-cost service that is being "stolen"... If everyone keeps abusing their service all phones will be locked, block sideloading, and have meters/throttling.

The Thunderbolt has a folder named "throttle" in the /system so its coming soon.

Sent from my ADR6400L using DroidForums App
 
I honestly don't know what I can do to help but I am willing to sacrifice my Droid X for testing if you need it :) (I have really good relations with my local verizon dealer so I could probably get another one easily dancedroid )
 
I am just learning to theme so im not very knowledgeable on programming at all lol. But when moto releases an ota what file or whatever do they use for the phone to accept it? Is there a way to get what you need from any of that? Probably a stupid noobie thought but I was just thinking in my little brain.

Sent from my DROIDX using DroidForums App
 
SHA-1 encryption has been broken by a team of researchers; Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu, and apparently they have been shadily distributing their paper, but its not readily publicly available. They used hash collisions to break the encryption. I personally know calculus, differential equations, greens and stokes theorem, and linear albegra, but this type of math is still way over my head. From my limited understanding on this...hash collisions would be the only real way to actually crack the encryption (vs. bypass, or the work you have been doing..), and considering that it has already been done, then I suppose that makes it a viable solution. I don't know if a team of researchers from Shandong University in China would care enough about the android hacker community to share their findings... but I suppose anything is possible. If in fact they were willing to share this information, the function could be used in a powerful computational program such as Maple, Matlab, or Mathmatica, to generate the private keys... but I think you might need the public key..? Like I said...I really only have a surface-level understanding of whats involved.

The more practical but still highly unlikely method for getting the keys would be to get them from moto somehow... but the hacker community is too small for them to care.

We could all stand outside of moto headquaters and wait for the ceo to walk towards his car and then.... lol.

If you are interested in actually cracking it.. wish would be epic, and probably more likely than reverse engineering the radio baseband drivers (which seems to be the issue...right?), then hash collisions are the way to go, and those researchers are the ones with the knowledge on how to do it. I don't think they want to publicly distribute their work because SHA-1 encryption is still widely used and has been implemented as an industry standard since md5 encryption was broken.

I hope that helps, or provides some hope... I personally have a DX and would love it to be cracked.. I wish I had a better understanding of the math involved. Regardless... I really appreciate your determination and commitment to this project, thank you for all your hard work.

I will try and see if I can find some solid information on this... but I really think that those guys are the only ones with the info that relevant... that being, the actual solution. There are documented studies with hash collisions available.. but they don't have what you need. Those guys have the answer.

{{ WugFresh }}
 
Last edited:
Would the Xoom hold any useful information? as i understand its bootloader is locked, but can be unlocked? also as the above poster said, the bootloader and kernel are updated somehow through ota's? how does say maderstock change the kernel? Wouldn't their have to be some kind of key to allow it to change it? just some thoughts, rather new to this =P would love to get some cyanogen lovin on my DX dancedroid
 
I will for sure be following this! Im very interested in learning how. I think we all help each other out bounce ideas out and edit and change each others we should be able to crack it. Just need to know how then I say we go for it.

Sent from my DROIDX
 
I just think we need to send someone into Motorolla under cover style! Get on the team that devs the phones and BOOM! We (our community) are in!

Short of that though, I seriously wish anyone and everyone the best of luck!

Sent from my DROIDX using DroidForums App
 
Back
Top