I research in security of android devices and their tamper-resistance. I've seen that in Pixel devices, you can locally unlock your bootloader by enabling OEM unlocking and then executing fastboot flashing unlock command to unlock the bootloader which means unlike other OEMs, Pixel doesn't rely on unlock code. I think OnePlus is another device which does the same.
When fastboot flashing unlock command is executed, bootloader must be storing its unlocked state somewhere to keep it persistent across boot. Wherever Pixel stores its unlock state, how that partition is protected from physical tampering using UFS flash chip programmer?
If UFS flash chip programmer can modify bootloader state by directly tampering with the partition that stores it, how Pixel is safe from physical theft and data compromise? A thief could be able to modify the state without the data getting erased. The data is erased only when you ask bootloader to set unlock state using fastboot. Once the thief modifies the state using the said programmer, he could be able to flash custom recovery to erase screen lock code.
This whole setup depends upon where blootloader state is stored and how it is protected against physical flash chip tampering.
The location of tamper flag simply is a byte in a specific file which can be queried by means of Fastboot.
My guess is that this file is stored in Android's /misc and/or /param partition ,
jwoegerbauer said:
The location of tamper flag simply is a byte in a specific file which can be queried by means of Fastboot.
My guess is that this file is stored in Android's /misc and/or /param partition ,
Click to expand...
Click to collapse
What prevents a thief to modify this tamper flag using UFS flash chip programmer in order to unlock the bootloader of a stolen device and then reuse the device as his own?
Can not mentally comprehend what locking/unlocking an Android device's bootloader has to do with device's ownership. Sorry for this.
jwoegerbauer said:
Can not mentally comprehend what locking/unlocking an Android device's bootloader has to do with device's ownership. Sorry for this.
Click to expand...
Click to collapse
What I mean is that if an attacker is able to unlock bootloader, he can reuse the stolen device as his own. Under locked bootloader condition, factory reset protection prevents attacker to reuse the stolen device.
Related
Hi, newbie poster here with a questions
I'm actually just curious as I've found enough information to root my phone and create backups. However, I like to know what I'm doing more intimately. I hope someone can give a word of explanation. This seems like the most techy forum so I decided to ask here.
1)What is it that we flash when installing a new ROM? Is it a partition on the internal flash drive?
2) Is the boot loader stored in the /boot partition?
3) Is there some kind of BIOS chip in these phones? Something has to initiate to start reading the /boot partition? Do we alter this in any way (like when flashing a computer BIOS).
A final bonus question that I would like to know is, what is changed when the boot loader is unlocked (I know the purpose and why it needs to be done). Is unlocking the boot loader simply removing the (or a) check so that unsigned stuff can be installed (like ROMs and clockwork recovery).
So in essence the boot loader is patched (= its code altered).
Thanks for taken the time to explain this to me
Jeroen
Find you phones forum, there will be sticky posts there to read up on rooting
I did For hours. I can find why a boot loader needs to be unlocked or decrypted. But not what is actually changed and why this is changed.
I can probably figure out question 1 though. But not what the boot order is, and whether hboot sits in a BIOS chip and is the same as a computer BIOS. There is little clear information on that.
IF I had to guess, I'd say hboot is stored on a chip in the phone and executes different partitions on flash. Be it Android or the recovery partition. Which one is booted, can be selected using Hboot. So it is kind of a limited BIOS. But that is just a guess and I could be very wrong.
What is it that we flash when installing a new ROM? Is it a partition on the internal flash drive?
Flashing a new ROM, either from your manufacturer or a custom ROM, and you'll flash several partitions of the internal nand flash disk. Not only boot-partition, but system, data, bootloader, radio-code etc as well.
Is the boot loader stored in the /boot partition?
No. The partition named boot contains an image composed by the root file system in the form of an initramfs plus the Linux kernel. This is the partition the boot loader initially loads and start. The boot loader itself resides on another partition, often not visible in /proc/mtd and often not in the format of proper file system neither.
Is there some kind of BIOS chip in these phones? Something has to initiate to start reading the /boot partition? Do we alter this in any way (like when flashing a computer BIOS).
To compare it with a BIOS doesn't make things clearer, since the computer BIOS today is more a bootloader than a API for low level I/O it once was. The bootloader can be compared to the BIOS boot loading function of the BIOS.
A final bonus question that I would like to know is, what is changed when the boot loader is unlocked
The locked boot loader only accept images signed with the manufacturers secret cryptographic key - everything else will be rejected. Unlocking it, and it'll accept unsigned images as well, making you free to boot and/or flash whatever you like.
Thank you Kuisma. When I omitted hboot in my Google search, I found a lot more explanatory links. hboot appears to be HTC specific.
So unlocking the boot loader is a vendor patch in fact. It is not patched by the community? Probably the option is foreseen to disable the certificate check by the vendor and then I shouldn't really call it a patch.
Something still has to start the boot loader. Is this hard coded in the CPU that the boot loader will start at location x in the NAND? I suppose that is the only way in fact. Boot loader and hardware would then be intimately connected just like with a regular BIOS.
I'd better not mess with the boot loader partition then
Jeroen1000 said:
Thank you Kuisma. When I omitted hboot in my Google search, I found a lot more explanatory links. hboot appears to be HTC specific.
So unlocking the boot loader is a vendor patch in fact. It is not patched by the community?
Something still has to start the boot loader. Is this hard coded in the CPU that the boot loader will start at location x in the NAND? I suppose that is the only way in fact. Boot loader and hardware would then be intimately connected just like with a regular BIOS.
I'd better not mess with the boot loader partition then
Click to expand...
Click to collapse
The boot loader is most likely just mapped as a part of the memory the CPU starts its execution at, more or less.
If the manufacturer allows it, you can unlock the boot loader in a official way, usually simultaneous erasing the DRM information. Then there's the unofficial way, cracking the phone unlocking it via some exploit.
I wrote a few words about the boot loader at http://whiteboard.ping.se/Android/BootLoader.
Hi i just checked my bootloader status says NO, is there anyway to unlock it? Would it be possible maybe later on..? I Want to try cm but i heard my bootloader needs to be unlocked to get that rom?
Sent from my D6503 using XDA Free mobile app
As for now, there's no way to unlock BL units with Bootloader Unlock Allowed = NO. You may try but I knew someone who ended up hard-bricking his phone.
You can unlock it officialy but will loose warranty.
http://developer.sonymobile.com/unlockbootloader/unlock-yourboot-loader/
there is no way to unlock your non unlockable bootloader as of this point today
your bootloader contains encrypted files which means you cant edit them easily, decrypting them can take a pro developer upto 3 years as each devices encryption key is different as well as encryption type however type depends on when it was manufactured
Envious_Data said:
there is no way to unlock your non unlockable bootloader as of this point today
your bootloader contains encrypted files which means you cant edit them easily, decrypting them can take a pro developer upto 3 years as each devices encryption key is different as well as encryption type however type depends on when it was manufactured
Click to expand...
Click to collapse
Bootloader can be unlocked and Sony provides a Code to do that, you can visit the site mentioned below for more details :
http://developer.sonymobile.com/unlockbootloader/unlock-yourboot-loader/
iSiddharth said:
Bootloader can be unlocked and Sony provides a Code to do that, you can visit the site mentioned below for more details :
http://developer.sonymobile.com/unlockbootloader/unlock-yourboot-loader/
Click to expand...
Click to collapse
i can but someone with a non unlockable bootloader can not unlock their bootloader
you can try as there are different types, some can be unlocked when it says no but thats only in certain countries
Envious_Data said:
i can but someone with a non unlockable bootloader can not unlock their bootloader
you can try as there are different types, some can be unlocked when it says no but thats only in certain countries
Click to expand...
Click to collapse
I have Xperia C, my Bootloader Unlock Status=NO but on the website I mentioned above I got my Unlocking Code.
iSiddharth said:
I have Xperia C, my Bootloader Unlock Status=NO but on the website I mentioned above I got my Unlocking Code.
Click to expand...
Click to collapse
that doesnt apply for xperia Z2, the firmware on the xperia Z2 has a set of encryption types and keys which it runs, all is verified with various partitions. some of thr partitions are encrypted hence you CANT UNLOCK YOUR BOOTLOADER if your device has these encrypted files and partitions.
it will either FAIL unlock or your device will BRICK. most xperias are the same, its very rare this actualy works. estimated to be 1:1.3m
Envious_Data said:
that doesnt apply for xperia Z2, the firmware on the xperia Z2 has a set of encryption types and keys which it runs, all is verified with various partitions. some of thr partitions are encrypted hence you CANT UNLOCK YOUR BOOTLOADER if your device has these encrypted files and partitions.
if will either FAIL unlock or your device will BRICK. most xperias are the same, its very rare this actualy works. estimated to be 1:1.3m
Click to expand...
Click to collapse
Okkk, it means it is really harmful to take such Risks.
Hello guys,
I've been trying to root this phone since i've bought it, problem is every option i read on the web doesnt work because phone's bootloader is locked, and all methods get to this point when u have to unlock ur phone bootloader but in order to do that u have to get in the phone bootloader wich is locked. So who the hell is giving advices like these i dont know. Problem is that i am motivated to still root it, nothing its impossible.
So i am asking, did anyone from EU, with the EU ROM (full of mallware) MIUI 8, managed to unlock its bootloader and then managed to root it ?! please lets discuss here the options that work and the options that didnt work so we can make it through and solve this problem, everything thats on web at this moment 27-11-2016 doesnt work on the False EU MIUI 8.
Thanks.
CatalinSava said:
Hello guys,
I've been trying to root this phone since i've bought it, problem is every option i read on the web doesnt work because phone's bootloader is locked, and all methods get to this point when u have to unlock ur phone bootloader but in order to do that u have to get in the phone bootloader wich is locked. So who the hell is giving advices like these i dont know. Problem is that i am motivated to still root it, nothing its impossible.
So i am asking you did anyone from EU, with the EU ROM (full of mallware) MIUI 8, managed to unlock its bootloader and then managed to root it ? please lets discuss here the options that work and the options that didnt work so we can make it through and solve this problem, everything thats on web at this moment 27-11-2016 doesnt work on the False EU MIUI 8.
Thanks.
Click to expand...
Click to collapse
Not posibble without unlocked bootloader. Even the pre-rooted China Developer rom needs phone with unlocked bootloader. Good luck with unlocking the bootloader.
EU ROM full of malware?!?! Where did you get that idea? Completely false.
Anyway as said, yes you do need to unlock bootloader. Impossible any other way, because the system has dm-verity (similar to HTC S-On) which prevents modification to /system. So if you can't modify system or boot partition then you can't put Superuser binaries anywhere. Unlocked bootloader allows to put Superuser on boot pertition.
Sent from my Redmi Note 4 using Tapatalk
CosmicDan said:
EU ROM full of malware?!?! Where did you get that idea? Completely false.
Anyway as said, yes you do need to unlock bootloader. Impossible any other way, because the system has dm-verity (similar to HTC S-On) which prevents modification to /system. So if you can't modify system or boot partition then you can't put Superuser binaries anywhere. Unlocked bootloader allows to put Superuser on boot pertition.
Sent from my Redmi Note 4 using Tapatalk
Click to expand...
Click to collapse
Can't we just flash a recovery-that can disable dm-verity using SP Flash and root the phone that way?
I am guessing not because no one has said it works
I'm getting rly impatient because I still havent got my bootloader unlock request approved yet lol
asusm930 said:
Can't we just flash a recovery-that can disable dm-verity using SP Flash and root the phone that way?
I am guessing not because no one has said it works
I'm getting rly impatient because I still havent got my bootloader unlock request approved yet lol
Click to expand...
Click to collapse
No because dm-verity is enabled/set in the kernel (ramdisk on boot partition), and if you modify the boot partition with a locked bootloader then it won't boot
Locked bootloader = prevents boot partition from being tampered with
dm-verity = set in boot partition, prevents system partition from being tampered with
So you simply need to unlock bootloader, there is just no other way to exploit the device (no possible attack vector). The device is very secure, like all Marshmallow devices.
So what is this false EU firmware you speak of? Obviously not the xiaomi.eu one because that requires unlocked bootloader.
You can flash global stable via SP Flash Tool, that's your best bet while waiting for bootloader unlock. If it's taking more than 1 week then you can contact official support or something via en.miui.com forum (its down at the moment for some reason).
CosmicDan said:
No because dm-verity is enabled/set in the kernel (ramdisk on boot partition), and if you modify the boot partition with a locked bootloader then it won't boot
Locked bootloader = prevents boot partition from being tampered with
dm-verity = set in boot partition, prevents system partition from being tampered with
So you simply need to unlock bootloader, there is just no other way to exploit the device (no possible attack vector). The device is very secure, like all Marshmallow devices.
So what is this false EU firmware you speak of? Obviously not the xiaomi.eu one because that requires unlocked bootloader.
You can flash global stable via SP Flash Tool, that's your best bet while waiting for bootloader unlock. If it's taking more than 1 week then you can contact official support or something via en.miui.com forum (its down at the moment for some reason).
Click to expand...
Click to collapse
have you atempted to see what actually happens when a bootloader is unlocked? Like what does the miunlocker do/flash on the phone?
---------- Post added at 05:20 AM ---------- Previous post was at 05:04 AM ----------
CosmicDan said:
No because dm-verity is enabled/set in the kernel (ramdisk on boot partition), and if you modify the boot partition with a locked bootloader then it won't boot
Locked bootloader = prevents boot partition from being tampered with
dm-verity = set in boot partition, prevents system partition from being tampered with
So you simply need to unlock bootloader, there is just no other way to exploit the device (no possible attack vector). The device is very secure, like all Marshmallow devices.
So what is this false EU firmware you speak of? Obviously not the xiaomi.eu one because that requires unlocked bootloader.
You can flash global stable via SP Flash Tool, that's your best bet while waiting for bootloader unlock. If it's taking more than 1 week then you can contact official support or something via en.miui.com forum (its down at the moment for some reason).
Click to expand...
Click to collapse
I'm gonna try to flash a twrp recovery using this guide http://en.miui.com/thread-371349-1-1.html
and replace the recovery file with TWRP. Will report if it works
Yea it doesnt work haha
CosmicDan said:
No because dm-verity is enabled/set in the kernel (ramdisk on boot partition), and if you modify the boot partition with a locked bootloader then it won't boot
Locked bootloader = prevents boot partition from being tampered with
dm-verity = set in boot partition, prevents system partition from being tampered with
So you simply need to unlock bootloader, there is just no other way to exploit the device (no possible attack vector). The device is very secure, like all Marshmallow devices.
So what is this false EU firmware you speak of? Obviously not the xiaomi.eu one because that requires unlocked bootloader.
You can flash global stable via SP Flash Tool, that's your best bet while waiting for bootloader unlock. If it's taking more than 1 week then you can contact official support or something via en.miui.com forum (its down at the moment for some reason).
Click to expand...
Click to collapse
Hey can you upload you miunlock tool folder here? Want to see if the miunlock tool downloaded anything that enabled the bootloader unlock
asusm930 said:
Hey can you upload you miunlock tool folder here? Want to see if the miunlock tool downloaded anything that enabled the bootloader unlock
Click to expand...
Click to collapse
You can download it for free, just search for MiFlash - it's not a secret tool or anything.
Attempting to see what actually happens...? Even if I had the skills to reverse engineer MediaTek security, I wouldn't do it.
You're trying to do such simple things to trick the system but you need to realize that this hardware has been verified by Google themselves as secure and safe enough for Android Pay and SafetyNet and such. It *can not* be easily cracked, accept it.
Replacing recovery.img with TWRP? Seriously? How dumb do you think these companies are? Sorry for being rude but you really are just being silly.
You are wasting your own time, and now mine too... Sorry but I'm going to unsubscribe now because these questions are just getting silly.
Sent from my Redmi Note 4 using Tapatalk
CosmicDan said:
You can download it for free, just search for MiFlash - it's not a secret tool or anything.
Attempting to see what actually happens...? Even if I had the skills to reverse engineer MediaTek security, I wouldn't do it.
You're trying to do such simple things to trick the system but you need to realize that this hardware has been verified by Google themselves as secure and safe enough for Android Pay and SafetyNet and such. It *can not* be easily cracked, accept it.
Replacing recovery.img with TWRP? Seriously? How dumb do you think these companies are? Sorry for being rude but you really are just being silly.
You are wasting your own time, and now mine too... Sorry but I'm going to unsubscribe now because these questions are just getting silly.
Sent from my Redmi Note 4 using Tapatalk
Click to expand...
Click to collapse
Man, I did not know that xiaomi actually put that much effort on making their mediatek phones actually google levels of secure.
Was always under the impression that they sorta skimped out on their mediatek lines (as they had before).
Now I'll just not try to unlock it unofficially lol
asusm930 said:
Man, I did not know that xiaomi actually put that much effort on making their mediatek phones actually google levels of secure.
Was always under the impression that they sorta skimped out on their mediatek lines (as they had before).
Now I'll just not try to unlock it unofficially lol
Click to expand...
Click to collapse
They had before sure, but in the recent year or so (since they started actually locking bootloaders) things changed - they want to target international market too.
Only reason the devices are not sold globally is because of some Mediatek patent/legal battle or something, not too sure (it's literally the only reason why they have snapdragon "pro" versions). But the device has a global firmware sold in Taiwan and some other places, and it is Google CTS certified (preinstalled with Google Play) and, since it's Marshmallow, requires all kinds of Google-approved security measures these days, which a lot of countries need legally too, so yeah.
Glad you understand. I read that if it takes too long to get unlock code, you should try/already be flashed on China dev ROM - so do that if you have not already.
Have you tried the unlocking link on this link? http://xiaomi-mi.com/redmi-note-4/
is there any way to insert custom recovery without unlocking bootloader On HTC?
because If the phone has lock screen. then we can remove lock from custom recovery without Losing data
as i know bootloader need to unlock for installing custom recovery
but if i unlock bootloader using htcdev.com phone will formate auto
so is there any way to insert custom recovery without unlocking bootloader On HTC?
obaid_457 said:
is there any way to insert custom recovery without unlocking bootloader On HTC?
because If the phone has lock screen. then we can remove lock from custom recovery without Losing data
as i know bootloader need to unlock for installing custom recovery
but if i unlock bootloader using htcdev.com phone will formate auto
so is there any way to insert custom recovery without unlocking bootloader On HTC?
Click to expand...
Click to collapse
No and yes:
If you're phone is S-ON and bootloader Locked (or relocked) No, it's a security feature to prevent unauthorized access to your data. Without this security, anyone with the appropriate knowledge could easily dump your phone data to a computer without having to enter a pin/password (lockscreen) and that would only take a few minutes (and it looks like that's exactly what you're trying to do... Stolen phone? Spying on your GF/BF? )
Yes only if the phone is S-OFF: you can pack a custom recovery image named "recovery.img" and the appropriate android-info.txt file inside a firmware.zip and flash it in ruu mode. Again, it will only works if the phone is S-OFF, otherwise the bootloader will refuse to flash that firmware.zip since it will not be signed with HTC's encryption key.
And BTW your question is really OT here, it's a forum section for Tasker (Tasker is an application)
alray said:
No and yes:
If you're phone is S-ON and bootloader Locked (or relocked) No, it's a security feature to prevent unauthorized access to your data. Without this security, anyone with the appropriate knowledge could easily dump your phone data to a computer without having to enter a pin/password (lockscreen) and that would only take a few minutes (and it looks like that's exactly what you're trying to do... Stolen phone? Spying on your GF/BF? )
Yes only if the phone is S-OFF: you can pack a custom recovery image named "recovery.img" and the appropriate android-info.txt file inside a firmware.zip and flash it in ruu mode. Again, it will only works if the phone is S-OFF, otherwise the bootloader will refuse to flash that firmware.zip since it will not be signed with HTC's encryption key.
And BTW your question is really OT here, it's a forum section for Tasker (Tasker is an application)
Click to expand...
Click to collapse
hahaha my Friend i'm a Mobile Technician and must need to know this and what is meaning of OT???
OT mean out of Thread? Please move it to the right section
obaid_457 said:
hahaha my Friend i'm a Mobile Technician and must need to know this and what is meaning of OT???
OT mean out of Thread? Please move it to the right section
Click to expand...
Click to collapse
OT = Off topic
But never mind, a moderator moved your thread to the correct section. :good:
Anything else you need to know about htc phones?
I just got the phone and couldn't resist the temptation to start the shenanigans. I actually flashed an image into both slots and wanted to delete the duplicate image in slot b.
My thinking was that since modem_b was empty before I flashed anything to it, then I probably could safely erase everything with the suffix _b right?
No, and now my phone is bricked. I should also mention that I forgot to set the active slot back to "a" so that was probably a contributing cause.
However when I look at how fastboot flashes the bootloader, I notice that it only touches the partitions with _b. So does that mean that my _a bootloader is intact?\
In the future, I'll only erase the partitions that the factory rom actually rewrites. And I am not touching the bootloader anymore, unless we get an msmtool equivalent for the Tensor chip. Speaking of which, I noticed that when the bricked phone is connected to my computer, it shows up as a serial device.
I am in the process of filing a claim with Google so I still have a few days to figure this out.
Is there something wrong with the how to guides in the Pixel 6 threads?
No, it was just me screwing around with the partitions. I did successfully root the phone previously.
How did you manage to wipe the bootloader partition? "dd" command? Pretty hard core if that was the case.
I rooted the phone and rooted the shell. So when I went to adb shell, I was able to cat /dev/block/bootdevice to see all the partition names.
From then on I just used the fastboot erase command.
In the back of my head, I though that fastboot unlock_critical being disabled would save me from doing stupid things but in retrospect it was probably only to prevent overwriting the bootloader.
I see. Amazing to think that Google would allow erasing the bootloader with a simple fastboot command.
And yet the bootloader on the other slot remains intact. With no way to enter fastboot to switch slots, it seems a replacement is the only option.
Be careful what you tell them if you go for a RMA
In the Pixel 6 Pro forum there is an unbricking guide which uses the exynos dead recovery to start flashboot and then using it to reflash the bootloader. If as you said the phone shows up as com port there should be hope.
Kickbub said:
I rooted the phone and rooted the shell. So when I went to adb shell, I was able to cat /dev/block/bootdevice to see all the partition names.
From then on I just used the fastboot erase command.
In the back of my head, I though that fastboot unlock_critical being disabled would save me from doing stupid things but in retrospect it was probably only to prevent overwriting the bootloader.
Click to expand...
Click to collapse
The unlock_critical command is automatically executed when you unlock the bootloader with the standard command. It's been that way since midway through the Pixel 2 XL lifespan.
Google should be able to make you whole.
Which command do you use, i type cat /dev/block/bootdevice in su mode
it only come out cat: /dev/block/bootdevice: Is a directory.
after knew the partition just use fastboot erase (directory) to wipe it?