Possible Ways to Crack the Bootloader

[Snow02]

The problem is that there are no public sheets that have the pinout for the parts you need. Specifically the mshield components. I have a couple other data sheets for the reference board, but as these boards are not going to be identical, that may be of limited use.
But here you go.
OMAP36xx Technical Reference Manual

Image Files
RDL3.smg - bootloader (30.04)
CG35.smg - boot partition
CG47.smg - recovery partition

Extracted MBN image and loader (RDL1.smg)

 

[ahC_hED]

The mshield is a feature of the omap chip...the omap controls a lot of stuff on the phone...and I believe the private key is stored on the cpu part, as it starts the boot chain. The .img and .smg files are what's in a SBF when you bust it open

I have the .03 and the .04 bootloaders but disassembling is a pain, but thanks for the info.

Sent from my Droid2 of Shame!

 

[ahC_hED]

Also pulling code from the chip will probably fail as I'm sure motorola is smart enough to enable the code protect flag

Sent from my DROID2 of shame.

 

[Snow02]

Right, omap is the whole soc, which is based around an arm cpu. The efuse is part of the mshield platform, about which there is no public technical info. But you're right, I think, that a hardware hack is going to be the quickest way around it. Not that it does much good for the general public, but you might be able to glean something useful. Good luck.

 

[Snow02]

But admittedly, I'm half talking out of my ass. Clearly you're more well versed on this than myself. I'll poke around a bit more and post if I find anything that might be useful.

 

[ahC_hED]

A hardware hack could be useful to the community if the key could be dumped to nand or usb. I don't think anything like this has been attempted, but I have 2 spare D2s to work on, so hopefully something will come up.

Sent from my DROID2 of shame.

 

[bplewis24]

You would need a leak... well... unless you somehow managed to invent and build a farm of quantum computers that simultaneously calculated every possible scenario using the law of superposition.. but I am afraid we are not quite there yet regarding computer technology

Tegra 4 will be able to do all of that AND play Crysis 3.

Schneier on Security: SHA-1 Broken

{{ WugFresh }}

For practicality purposes, though, it's not anything to worry about.

So, when he states the following, what does he mean?

This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, major cryptanalytic result. It pretty much puts a bullet into SHA-1 as a hash function for digital signatures

The first thing I thought of when reading your post was, "if it has no practical purpose, then what is the significance of blogging about it?" So I went back to see if he downplayed the discovery, and came across the quoted text. I won't pretend to know what it means, but I know using words like "major" and "bullet" are used for effect and to show that this finding has weight. So, what is that for?

Brandon

 

[Brennan_Huber]

90% of this is way over my head but with Wug I will donate all my brain power to this, I scored nearly perfect in the math portion of the ACT and SAT and learning math is no problem for me. I do a little cyphering for fun. I've been keeping up with all of this going on and doing my own research on top of that. When we finally get a plan going and idea I will happily look it up learn it and use my brain for it. I know enough about the android side to want to be a Dev but I don't know how to get started. So ill be on here trying to find ways.
I do have a few questions though.
1. Its encrypted but how? If anyone knows, it might not be but just asking.
2. What are some possible ideas to crack it so far? Ill look it up and try and teach myself it.
And 3. What would the solution look like? Just wondering this one for myself.

Sent from my DROIDX

 

[WugFresh]

@bplewis24
I appreciate that you are trying to support my hash collision theory but eluding to the idea that Tegra4 is somehow comparable to a Quantum computer is just not true.. im going to assume that you were kidding (side note the physics engine in crysis is ridiculous).

If you weren't kidding and for those who were not aware what I was talking about there; with quantum computing the superposition principle is in effect, meaning that the binary system is no longer valid; there are no bits, units which can only exist as a zero or a one, in quantum computers there are qbits; these quantum bits can actually exist as a zero and a one simultaneously. What this means is that in any given moment the computer can solve a problem in two ways, the correct way and the wrong way, but since it arrives at the answer at exactly the same time, its as if it went back in time and decided not to try the incorrect solution in the first place, furthermore the computer experiences no slow down from the simultaneous computation. So the reason I said that was because if we had quantum computers then breaking SHA1 encryption would literally be child's play.. but to the same extent, if we had quantum computers we probably wouldn't be using SHA1 encryption at all.. lol.. we have to use some encryption scheme that is completely unfathomable in contemporary society.. like have the first quantum computer start inventing encryption schemes for a year in advance before releasing any other quantum computers so that people would have a very difficult time catching up.. lol.. wow. Sorry for the troll post.. I am very interested in quantum mechanics..

Regarding the second half of your post. I agree, a bold statement like put a bullet in SHA1 is what made me think it was possible in the first place. If its not practical or possible to actually use the crack.. then how is that a bullet. I feel like he knows something that we don't. Either that, or he's just being plain old misleading and making kids like me start doing a bunch of research. His statement is what triggered me to think that doing hash collisions would prove to be a viable approach to break the bootloader.

{{ WugFresh }}

 

[WugFresh]

I believe the most logical solution would be to do a SETI@home solution. Use the mass amounts of computers to run hash collisions. I believe this is possible from reading articles about the Chinese that accomplished this. With the right type of determination I think it would be possible.

P.S Or just create a virus style SETI@home so people don't even know there running it bhaahha!

I'm on it.

@everyone, I'm about to throw up a link for a way to get a free lifetime supply of cookies. Just click the link, I swear.. lol.

I am actually going to be talking about the practically of doing it with my prof this week and I hope to gain insight on if doing just that.. minus the virus (... maybe) would work.

{{ WugFresh }}

 

[bplewis24]

I was just being silly

Nevertheless, thanks for the explanation as I did learn something.

Brandon

 

[PalmerCurling]

I believe the most logical solution would be to do a SETI@home solution. Use the mass amounts of computers to run hash collisions. I believe this is possible from reading articles about the Chinese that accomplished this. With the right type of determination I think it would be possible.

P.S Or just create a virus style SETI@home so people don't even know there running it bhaahha!

I'm on it.

@everyone, I'm about to throw up a link for a way to get a free lifetime supply of cookies. Just click the link, I swear.. lol.

{{ WugFresh }}

For BOINC or a stand alone program? Either way ill have it on every computer I can (if its a stand alone I can get it running in my school computers too... lol)

Sent from my DROIDX using Tapatalk

 

[WugFresh]

I'm not quite there yet. But I have a lot of experience building standalones.. so that would be the plan.

{{ WugFresh }}

 

[PalmerCurling]

When you get there which way will it go?

Sent from my DROIDX using Tapatalk

 

[WugFresh]

What.. a standalone vs. an install? Or an @home vs network?
Or a virus vs non virus?

{{ WugFresh }}