Hey guys.

Well, since GandjaFuzz left his project to bypass the RSA on the MOTO V6, there's nobody who wants to do it. Well the deal is this, if you have some knowledge about how to start on it, developing and stuff for this, please let us know.

We, the Maxx V6 users, wants to use patches, and stuff like the other phones who has the RSA bypassed.

If you have any clue on this, please, post it here, i think we can make a good team if we all work together.

Someone told me that we need to know Argon programming or something i can't remember what...

post your ideas...

06/01/09 Thread update!

The information obtained: thanks to OCM770,Skrilax_CZ,flash.tato,kn100,russoeternal

1.- For starters you need to know the processor type to know what language the code it written in (ARM for example is one).
2.- You can use BL03.09 upgrade (CG2) to get the code. ARGON is on ARMB (ARM Big Endian platform). The second way is to TP the phone and read it from the chip's memory (for 03.02).
3.- We need some documentation about ARMB.
4.- You can use IDA pro (warez) to disassemble the binary code. But there is the our problem, we need to find someone who knows how to study it etc. or in other words find a hole in the bootloader / firmware so we do not have to TP the phone in order to bypass RSA.

Information for argon provided by kent_lkc

Argon+ is the main processor used for all system and user applications.

The Argon IC integrates the following three main cores:
• Microcontroller Unit (MCU): 400MHz ARM11 used for operating system, user applications and call control.
• Digital Signal Processor (DSP): 208MHz Motorola StarCore used for call and audio data processing.
• Smart DMA (SDMA): 100MHz Direct Memory Access Controller used to assist communications between the MCU and DSP.

RAZR MAXX processor.
http://img380.imageshack.us/img380/217/v6processorxx0.jpg

08/01/09 Thread update

kent_lkc got the original 03.02 bootloader, not back up, original rom. :) Skrilax_CZ said that now we need someone who can disasemble it.

:) and I decided to add the Testpoint Image if someone needs it.
http://russoeternal.motoevolution.net/images/tpfull.jpg

Argon is the version of the bootloader, you need to know how to read the code behind the bootloader to crack RSA:thumbsup:

is there a way to know how to read it?

For starters you need to know the processor type to know what language the code it written in (ARM for example is one)

You can use BL03.09 upgrade (CG2) to get the code. ARGON is on ARMB (ARM Big Endian platform). The second way is to TP the phone and read it from the chip's memory (for 03.02).

Will be useful the testpoing image that we already have, or do we need to find another point?

You can use BL03.09 upgrade (CG2) to get the code. ARGON is on ARMB (ARM Big Endian platform). The second way is to TP the phone and read it from the chip's memory (for 03.02).

My suggestion.We will need to find a tool which can convert ARMB to binary instantaneously and we will have to find the source code by trial and error.

Talking with flash.tato a while ago, he told me that we need all the documentation about ARMB.

Is there a convertor from ARMB to binary?

well, browsing on the internet, i just found this PDF

ELF for ARM

dunno if it's helpfull

With what program did flash.tato write the custom firmware for the v3x?

You can use IDA pro (warez) to disassemble the binary code. But there is the our problem, we need to find someone who knows how to study it etc. or in other words find a hole in the bootloader / firmware so we do not have to TP the phone in order to bypass RSA.

I really don't want to TP my phone.

What does it mean a hole in the firmware. Any illustrations?

a bug in the firmware, allowing for unauthorised code to run

Interesting, will see if someone of my job knows about it. (I'm working on Microsoft)

Please pm me the software you are using so that i can help. Please also post a work-plan

I'm not gonna PM you buddy, because we need to show & share everything to the others.

Well, the work-plan will be posted as soon as I find someone who can study this.

I'm not gonna PM you buddy, because we need to show & share everything to the others.


Well, i was afraid of warez :D .

Maybe this topic will be helpfull:
Original version (http://forum.***********/index.php?showtopic=157514)
Translated version (http://motohell.com/index.php?topic=3956.0)

we can always use torrent, just giving the correct name. :)

asked to the.CoR3 and he said he has no clue on this.

Maybe this topic will be helpfull:
Original version (http://forum.***********/index.php?showtopic=157514)
Translated version (http://motohell.com/index.php?topic=3956.0)

we appreciate that buddy. But the V6 is not MotoMagX, it's P2K05 (argon phone)

V6 is not MotoMagX, it's P2K05 (argon phone)

OOps my mistake

No problem, any help is much appreciated.

I am willing to help with this hack any way I can, I am happy that russo started this thread, maybe together we can find the solution.

I have little knowledge on this subject, and my overall knowledge on this is far inferior to the spearheads of the project. But if you need me to download stuff and test as well, then I will do so.

Thanks russo, you rock!!!

share your ideas mate. :)

Well, I was thinking that you should edit your post in the beginning so that it says all of the benefits of the RSA bypass hack. This will provide the incentive for others to get involved, which might lead to a solution. Also, I am myself not aware of all of the benefits, I know most of them, but not all. :thumbsup:

Hey Rami, or some other mod, could we get a stick, at least temporarily for this? :)

nice idea, i'm gonna post the benefits of the RSA hack.

I'd like to know what daywalker04 and USSS are thinking about this. :)

Thank you russo. It would be great if USSS and daywalker chimed in here, i have to say they are some of the masters of the maxx. :thumbsup:

Don't forget one thing. Even if we break RSA we still need skilled people to develop the patches.

I stick this thread so it remains on sight.

Don't worry. There must be someone:D

Argon+ is the main processor used for all system and user applications.

The Argon IC integrates the following three main cores:
• Microcontroller Unit (MCU): 400MHz ARM11 used for operating system, user applications and call control.
• Digital Signal Processor (DSP): 208MHz Motorola StarCore used for call and audio data processing.
• Smart DMA (SDMA): 100MHz Direct Memory Access Controller used to assist communications between the MCU and DSP.

good info boss :)

maxx v6 processor

http://img380.imageshack.us/img380/217/v6processorxx0.jpg

hope is useful.

Cool info kent!!! I will update the first thread with all the info re-collected.

thread updated i'm gonna see at the service manuals to try to find something.

Thanks for all the info kent! Im gonna search around online for some guys who are experienced in patching and see if they would like to join this project.

Well, I have all the service manuals for the RAZR MAXX!! Every document obtained from MD-Service. If anyone want it, shoot me an e-mail thru my website.

Sounds like espionage is required...... lol~~~~ I'll see if my buddy is still alive.

I don't know what he can do but he's finance department. But maybe he can mosey on over to R&D or maybe he knows someone in R&D. meh~~~

Well, I have all the service manuals for the RAZR MAXX!! Every document obtained from MD-Service. If anyone want it, shoot me an e-mail thru my website.

Email Sent.

Update. We got BL 03.02 ROM. So there is no need to read it from phone. Thanks to kent.
So now the only need is to find someone who can disassemble it.

I got the IDA pro, if anyone wants it, send me an e-mail and i will provide you the download link.

Update. We got BL 03.02 ROM. So there is no need to read it from phone. Thanks to kent.
So now the only need is to find someone who can disassemble it.

Do we also need the BL 3.09 ROM?

i opened the bootloader with IDA pro, what do i need to find?

http://i40.tinypic.com/10f84no.jpg

You oppened up the sbf file, which is a package of the actual bin of the bootloader, i think you need to open the actual .bin file.

This is a very interesting thread. I apologize butting in, but I'm trying to bypass RSA on another phone model (v3re.) But nobody knows where to begin.

Would the info you all are posting be relevant to other phones as well? Or am I out of line here?

Our work is for P2K05, but you can see if our procedure works on V3RE :)

lol, pretty sure v3re's just the regular old p2k deal, so I'm guessing the procedure may be different... I should have done my homework before opening my mouth, lol. However, your project still interests me. I'll follow this thread with interest...

Sorry to butt in, eveybody. I hope the project goes well!

Hey, russo, did u try opening the actual .bin file yet? And if so, could we get some screenies to show what you found?

anyone can do that, anyone can open the file on IDA, but i don't know what i need to find.

It asks me which is the processor type.

Which one did you use?

ARMB type.

OMG, whats there? i can understand nothing :( . I can see only codes

Does anyone know what we need to find?

that's what i'm asking... i'll see if flash.tato can help me.

ok. keep us informed.

BTW, have you noticed lots of motorola options in the cpu list in IDA?

BTW, have you noticed lots of motorola options in the cpu list in IDA?

I don't have it right now, please explain what these options are.

ok. keep us informed.

BTW, have you noticed lots of motorola options in the cpu list in IDA?

The CPUs int the list are old Motorola CPUs, the right one for ARGON phones is ARMB.

Where can i download 03.02 bl?

Cor3 (http://www.modmymoto.com/forums/member.php?u=103553) is a great guy at assembly. Just have a look in the V3x section and you'll know all that he has done. Trust him. He might take some time to figure it out but he does his job very well :).

The 03.02 Bootloader ROM image is HERE (http://rapidshare.com/files/180969376/03.02_Bootloader.rar). The bootloader 03.09 is replacer.

btw. how does one find entry point in the binary? Just curious.

At 0xA0001000 there's a pointer to bl entry point

btw. how does one find entry point in the binary? Just curious.
BTW, whats an entry point?

BTW, whats an entry point?

It's where code execution begins

Thanx for joining the team Cor3! How does the entry point help us? Sorry for N00B questions. :o

Entry point is where you have to start analyzing code

Oh, okay, thanx. Have u opened the file and IDA and checked it out yet?

Cor3 is working on it ;)
When he is ready he will say. kent made some tests, but afaik they did not yet work.

I have opened it with IDA but don't know how start the decompiling process. It would be nice if someone who decompiled it could upload the codes here ;)

will do it tonight.

03.09 bootloader ida database attached ;)

nice.

I am using the IDA which russo gave me. It says fatal error and i should find a newer one :)

yah, i downloaded now the 5.2

OMG, i took ten hrs to download the version you gave me(i am using a 64kbps connection on a p2).

Please posts the results here if possible as text or whatever

hmm, well, the bootloader was decompiled by the.C0r3 if someone wants to help us, there's the boot.

any news???

OCM770 opened the CG1 with IDA...

but we don't know what to do...

please post screenies

I know u tested a possible hack, any results?

No.

Be patient. RSA hack is for nothing if there are no patches ;) (which will take some time too)

Oh well, im game to wait, thanx for testing guys!

There are some interest points....

ROM:A000216A MOVS R0, #1
ROM:A000216C BL sub_A0002B52
ROM:A0002170 LDR R0, =startup_code
ROM:A0002172 LDR R0, [R0]
ROM:A0002174 LDR R1, =0xFEED ; if FEED no rsa check
ROM:A0002176 CMP R0, R1
ROM:A0002178 BEQ loc_A0002182
ROM:A000217A BL read_from_keyboard
ROM:A000217E CMP R0, #0
ROM:A0002180 BEQ loc_A0002188
ROM:A0002182
ROM:A0002182 loc_A0002182 ; CODE XREF: boot_start+E2j
ROM:A0002182 MOVS R0, #0x23
ROM:A0002184 STR R0, [SP,#0x18+var_18]
ROM:A0002186 B loc_A000218C
ROM:A0002188 ; ---------------------------------------------------------------------------
ROM:A0002188
ROM:A0002188 loc_A0002188 ; CODE XREF: boot_start+EAj
ROM:A0002188 MOVS R0, #0x58
ROM:A000218A STR R0, [SP,#0x18+var_18]
ROM:A000218C
ROM:A000218C loc_A000218C ; CODE XREF: boot_start+F0j
ROM:A000218C LDR R0, [SP,#0x18+var_18]
ROM:A000218E CMP R0, #0x58
ROM:A0002190 BNE loc_A00021AC
ROM:A0002192 LDR R0, =unk_1FFFCDB8
ROM:A0002194 LDRB R0, [R0]
ROM:A0002196 CMP R0, #1
ROM:A0002198 BNE loc_A00021A0
ROM:A000219A BL soft_reset
ROM:A000219E ; ---------------------------------------------------------------------------
ROM:A000219E B loc_A00021AC
ROM:A00021A0 ; ---------------------------------------------------------------------------
ROM:A00021A0
ROM:A00021A0 loc_A00021A0 ; CODE XREF: boot_start+102j
ROM:A00021A0 BL boot_checks



I'm so sorry but If I want to explain this I need my Spanish...

Hay dos puntos importantes, que he marcado en negrita, si os dais cuenta antes del A0002180, hace una comparación y un salto lógico, que bien termina en A0002188, o en A000218C. Y aqui empieza lo interesante, después de unas comparaciones termina haciendo un soft_reset si en el registro R0 no existe un 1 (A0002196), pero si existe ese uno termina en boot_checks, que es una funcion bastante interesante (primero por llamarse boot_checks... y segundo por cosas que hace dentro):


ROM:A00021A0 BL boot_checks
ROM:A00021A4 CMP R0, #0
ROM:A00021A6 BNE loc_A00021AC ; all right


boot_checks (A0057B4) realiza una serie de comprobaciones importantes, como si las posiciones de memoria son validas y trata varias cosas más entre ellas algo relacionado con RSA (que no puedo verificar porque creo que la imagen esta mal desensamblada, hay cosas que no me cuadran, supongo que es por el tipo de imagen y requiere unos ajustes más finos a la hora de desensamblarla porque hay direcciones que no tienen sentido).

No se como andara esto, pero supongo que la gente que estais trabajando en esto teneis herramientas para grabar el bootloader incluso después de tener uno corrupto (sino es así habria que mirarlo más de cerca), si el tema es así yo pasaría por comprobar que ocurre al cambiar A00021A6 por un salto incondicional (forzando a que salte siempre este correcto o no).

Otras posibilidades son cambiar la "signature" que es una estructura que ronda por hay tipo PKS (certificado, supongo que X509) por una nuestra y refirmar lo que haga falta, esto elimina los problemas de intentar eliminar o parchear el RSA.

Otra de mis dudas esta aqui:

ROM:A0002170 LDR R0, =startup_code
ROM:A0002172 LDR R0, [R0]
ROM:A0002174 LDR R1, =0xFEED ; if FEED no rsa check
ROM:A0002176 CMP R0, R1
ROM:A0002178 BEQ loc_A0002182


starup_code es una dirección RAM (osease no lo podemos mirar en el ensamblador muerto), pero puede que se trate de algún tipo de parche para desarrollo (que usen los ingenieros para meter sus firmwares sin necesidad de andar firmandolo continuamente). Basicamente ese codigo comprueba si en esa posición existe la palabra FEED, si es así "teorícamente" y según el comentario, elimina el checkeo RSA. Mi solución pasa por modificar A000272 por un LDR R0, 0xFEED, y ver que ocurre...

Si alguien se le ocurre como parchearlo estaría bien, sino hay que buscar la tabla de opcodes de ARM11 y ver los valores binarios a meter, para cambiar un LDR R1, 0xFEED, a un LDR R0, 0xFEED (serían identicos el de arriba y abajo, salvo que el de arriba es a R0), o cambiar el CMP por un CMP R1, R1.

Un saludo

P.D: Siento el castellano pero todavía no tengo el ingles tan fluido para describir estos detalles, si alguien es tan amable de traducirlo, seguro que ayuda a alguien.

Edito:

Los firmwares que no pasan el RSA, no arrancan en el telefono o no pueden ser subidos al telefono ? Es que acabo de ver varias rutinas USB que hacen comprobaciones sobre una signature...

RoTTe i didn't understand everything but i understood that you want to patch bootloader.
Well, bootloader can't be patched because there's a signature also on bl.
About "startup_code" we cant' write to startup code util we unlock rsa, so...useless

RoTTe i didn't understand everything but i understood that you want to patch bootloader.
Well, bootloader can't be patched because there's a signature also on bl.
About "startup_code" we cant' write to startup code util we unlock rsa, so...useless

Well, Where is the exact code that we can "touch" ? bl_entry ?

Thank's

Edit:

I undertood it much better now , so we can upload any firmware (whether the signature is valid or not) with the testpoint, but if I wanted to upload a firmware non-valid (signature) I won't be able unless I use the testpoint, right ?

We need to find a bug in USB upload routines so as to avoid the firmware-check, right ?

Edit2:

+/-, I think this is our friend:

ROM:A0003C5E sub_A0003C5E ; CODE XREF: usb_cmd_jump+6p
ROM:A0003C5E
ROM:A0003C5E var_1C = -0x1C
ROM:A0003C5E signature_address= -0x18
ROM:A0003C5E
ROM:A0003C5E LDR R0, =aCriticalError
ROM:A0003C60 PUSH {R1-R7,LR**
ROM:A0003C62 SUBS R0, #0xE
ROM:A0003C64 MOV R3, SP
ROM:A0003C66 LDR R4, =0x80000000
ROM:A0003C68 LDRH R0, [R0,#0xC]
ROM:A0003C6A MOV R1, R4
ROM:A0003C6C STRH R0, [R3,#0x20+var_1C]
ROM:A0003C6E LDR R0, [R4,#0x2C] ; Signature address
ROM:A0003C70 LDR R5, [R4,#4] ; Magic B17219E9
ROM:A0003C72 STR R0, [SP,#0x20+signature_address]
ROM:A0003C74 LDR R6, [R1] ; Entry point
ROM:A0003C76 BL check_is_in_ramdld
ROM:A0003C7A CMP R0, #0x23
ROM:A0003C7C BEQ header_ok
ROM:A0003C7E LDR R1, =0x11E1
ROM:A0003C80 LDR R0, =0xDBE7
ROM:A0003C82 MOVS R2, #0x83
ROM:A0003C84 BL raise_critical_err

Testpoint doesn't matter.
RSA check is made by bootloader when you power up your phone, so if you flash from flash mode or blank mode is the same.

We tried so many re-flashes.From 23 attempts,17 failed and 6 worked but the RSA stills there.

RoTTe: si necesitas traducciones a inglés, yo te puedo ayudar :)

Yo tambien te ayudo en esto si quiere RoTTE. Me parece excelente que alguien como tu y Cor3 esten trabajando en esto, espera se pueda lograr pronto. Por cierto RoTTE, creo que ahorita importa mas lograr un bypass en el RSA check antes de preocuparse por poder flashear Firmwares modificados. Los telefonos nuevos como el L9 por ejemplo una vez parchado requiere que se flashee en blank mode el CG1 entre otros siempre. Pero esto es mas facil por que se creo un Dual Bootloader, osea que en vez de *# para modo bootloader se puede usar nada mas * para iniciar en blank mode, espero esto se logre despues para los argons. Por ahorita, yo creo, se deberia empezar por ponerle un bypass al BL, Firmware o los dos si es necesario, luego nos preocupamos por poder flashearlo en modo boot, solo mi opinion

Cor3: I don't get the part where the BL is signed. If i where to mod a Bootloader and flash it in blank mode what where to happen then? What check the bootloader signature? And does this mean the Firmware needs to be patched and not the Bootloader?

Siento el castellano otra vez :D

He estado reconstruyendo (en papel de momento) alguna de las rutinas importantes (o que me han parecido importantes), y el problema es que creo que el bootloader, o al menos una parte de el siempre esta ahí...

Necesito que me concreteis algunas cosillas que todavía no entiendo, el testpoint exactamente para que es util ? Tenia entendido que era un modo de recuperar el telefono en caso de "tocar" el bootloader (y liarla).

Osease normalmente, cuando flasheas un bootloader de este calibre, siempre hay una parte que es sagrada y no tocas, o al menos si la vas a tocar te aseguras que el codigo que introduces sea identico al que hay (si estas flasheando y se muere a la mitad por ejemplo, sabes que por lo menos la parte de emergencia sigue si o si) para recuperarlo en casos muy especiales, osease un bootloader de emergencia, unas pocas lineas que sean capaces de meter la recuperación del movil. Correcto ?

En todo caso, el bug lo debemos encontrar en alguna de las rutinas que checkean el RSA, el primero y a lo mejor la parte más importante, es al subir el firmware (o al menos eso creo que hace), que es parte del codigo que pegue arriba, se verifican las cabeceras, los tamaños del codigo, y la firma, si por algún casual subes un firmware no valido en alguno de estos puntos provoca "raise_error" que es un error fatal, sin recuperacion vaya.

La otra parte, es el otro codigo que pegue más arriba, que es la que en teoría se ocupa de la verificación del codigo ya grabado en la flash y da inicio al programa, creo.

En todo caso, la parte que más "posibilidades" tiene, sería las rutinas del USB, normalmente al programar un dispositivo de estos los ingenieros son vagos y programan según el estandar, olvidandose temas de seguridad. Salvo que esta arquitectura (no conozco bien ARM11, soy del 9 y del 7) tenga sistemas de seguridad para proteger ejecucion sobre stacks de datos, seguramente podamos provocar un overflow en alguna parte de las rutinas del USB (paquetes grandes, cabeceras extrañas, es largo y tendido), inyectarle codigo y obligarle a ejecutarlo (por ejemplo copiar la mayoría del codigo del bootloader eliminando la restricción del RSA y obligarle a meter los datos que queramos). Lo cual sería la meta final cierto ?

Testpoint doesn't matter.
RSA check is made by bootloader when you power up your phone, so if you flash from flash mode or blank mode is the same.

But as far as I have seen, the RSA signature is also checked in some of the routines usb_cmd_jump uses, thus checking the signature apart from the heading when uploading the firmware.

So what should we do, then - try and avoid the RSA signature via some bug, or try and ind a bug that allows us to run code at bootloader level and patch the whole system definitely?

El TestPoint te sirve para varias cosas, has de cuenta que te deja accesar todas las partes del telefon o sin restricciones, puedes accesar el PDS, el Bootloader, que normalmente esas areas no las podrias ni respaldar ni sobre escribir en modo Flash. Cuando entras en modo blank estas restricciones se eliminan y puedes cambiar el bootloader y la PDS, desbloquear el telefono o repararlo por ejemplo. Otro problema es que necesitas (por lo menos el dia de hoy) una Caja (smart Clip por ejemplo) para poder flashear cualquier argon (V3xx, V6, K3, V9) en modo blank.

Practicamente se necesitaria entrar en blank usando el TP para poder flashear un BL, de otra forma el Telefono te lanza un Critical Error al momento de intentar borrar la memoria de donde esta el Bootloader, no le pasa nada al telefono pero no te deja flashearle un Bootloader nuevo. Con la excepcion del 0309 Upgrader claro. Ese es un archivo original de Motorola que algo tiene en el RAMDLD que te deja actualizar de 0302 a 0309 pero ya no puedes retroceder

El TestPoint te sirve para varias cosas, has de cuenta que te deja accesar todas las partes del telefon o sin restricciones, puedes accesar el PDS, el Bootloader, que normalmente esas areas no las podrias ni respaldar ni sobre escribir en modo Flash. Cuando entras en modo blank estas restricciones se eliminan y puedes cambiar el bootloader y la PDS, desbloquear el telefono o repararlo por ejemplo. Otro problema es que necesitas (por lo menos el dia de hoy) una Caja (smart Clip por ejemplo) para poder flashear cualquier argon (V3xx, V6, K3, V9) en modo blank.

Practicamente se necesitaria entrar en blank usando el TP para poder flashear un BL, de otra forma el Telefono te lanza un Critical Error al momento de intentar borrar la memoria de donde esta el Bootloader, no le pasa nada al telefono pero no te deja flashearle un Bootloader nuevo. Con la excepcion del 0309 Upgrader claro. Ese es un archivo original de Motorola que algo tiene en el RAMDLD que te deja actualizar de 0302 a 0309 pero ya no puedes retroceder

Lo que tiene de especial es que el bootloader hace unas verificaciones (del header y tal por lo que he podido ver, de donde a donde va el codigo que escribes, etc... etc...) y es capaz de comprobar si vas a sobreescribir el bootloader. Obviamente, no puedes generar ningun archivo parecido, sin firmarlo, entonces partimos de que saltando el RSA en principio podrías sobreescribir el bootloader. (Es lo que comento en el post de arriba, creo que por donde habria que cogerlo es intentar ejecutar codigo sin firmar en modo bootloader y hacernos nuestro propio cargador o codigo que fuera capaz de meter desde el USB a la memoria lo que nosotros queramos)

Lo que digo yo, y lo se por experencia en otros modelos (L7, Z3, V3) es que en modo blank puedes flashear el bootloader que sea, no se si sea asi en el Maxx pero yo creeria que si, a lo que quiero llegar es que es probable que se pueda flashear un boot modificado si se flashea en Blank Mode

Siento el castellano otra vez :D

He estado reconstruyendo (en papel de momento) alguna de las rutinas importantes (o que me han parecido importantes), y el problema es que creo que el bootloader, o al menos una parte de el siempre esta ahí...

Necesito que me concreteis algunas cosillas que todavía no entiendo, el testpoint exactamente para que es util ? Tenia entendido que era un modo de recuperar el telefono en caso de "tocar" el bootloader (y liarla).

Osease normalmente, cuando flasheas un bootloader de este calibre, siempre hay una parte que es sagrada y no tocas, o al menos si la vas a tocar te aseguras que el codigo que introduces sea identico al que hay (si estas flasheando y se muere a la mitad por ejemplo, sabes que por lo menos la parte de emergencia sigue si o si) para recuperarlo en casos muy especiales, osease un bootloader de emergencia, unas pocas lineas que sean capaces de meter la recuperación del movil. Correcto ?

En todo caso, el bug lo debemos encontrar en alguna de las rutinas que checkean el RSA, el primero y a lo mejor la parte más importante, es al subir el firmware (o al menos eso creo que hace), que es parte del codigo que pegue arriba, se verifican las cabeceras, los tamaños del codigo, y la firma, si por algún casual subes un firmware no valido en alguno de estos puntos provoca "raise_error" que es un error fatal, sin recuperacion vaya.

La otra parte, es el otro codigo que pegue más arriba, que es la que en teoría se ocupa de la verificación del codigo ya grabado en la flash y da inicio al programa, creo.

En todo caso, la parte que más "posibilidades" tiene, sería las rutinas del USB, normalmente al programar un dispositivo de estos los ingenieros son vagos y programan según el estandar, olvidandose temas de seguridad. Salvo que esta arquitectura (no conozco bien ARM11, soy del 9 y del 7) tenga sistemas de seguridad para proteger ejecucion sobre stacks de datos, seguramente podamos provocar un overflow en alguna parte de las rutinas del USB (paquetes grandes, cabeceras extrañas, es largo y tendido), inyectarle codigo y obligarle a ejecutarlo (por ejemplo copiar la mayoría del codigo del bootloader eliminando la restricción del RSA y obligarle a meter los datos que queramos). Lo cual sería la meta final cierto ?



But as far as I have seen, the RSA signature is also checked in some of the routines usb_cmd_jump uses, thus checking the signature apart from the heading when uploading the firmware.

So what should we do, then - try and avoid the RSA signature via some bug, or try and ind a bug that allows us to run code at bootloader level and patch the whole system definitely?

usb_cmd_jump checks ramdownloader rsa...

The problem isn't how RSA works.

We already wrote some code to bypass it but the problem is to find an area which is called as both Bootloader and CG1 are protected (that means that we can't patch them).

Also we thought to use the same LTE2 approach, where CG7 isn't signed so custom code can be placed here, but the problem is that CG7 in Argon(s) is useless, it isn't invoked.

So what area is called that isn't RSA protected? Why can't you just flash a Patched Bootloader in blank mode then flash a Patched Firmware in blank mode and then you have a patched Phone?

usb_cmd_jump checks ramdownloader rsa...

Ok, but is the same, we need to break the chain of trust a bit earlier in the boot process and take the control.

bootloader -> ramdownaloader -> firmware
_________|
__________\
__________\|/
(bug in some place) -> upload our downloader -> no signed firmware

Ok, but is the same, we need to break the chain of trust a bit earlier in the boot process and take the control.

bootloader -> ramdownaloader -> firmware
_________|
__________
__________|/
(bug in some place) -> upload our downloader -> no signed firmware

ramdownloader doesn't checks firmware's signature so we can already upload an unsigned firmware, but is the bootloader that checks signature when you power up the phone.

This is how moto works:

Bootloader 1 (Located at 0x0, it checks Bootloader 2 integrity, if something wrong starts blank mode, this boot can't be flashed) -> Bootloader 2 (0xA0000000, checks firmware integrity) -> Firmware

hey, if you need me to testpoint a v6 i can do it for you... just tell me what 2 do and i'll do it.

any progress guys?

I need a little help to open my Boot loader (phone is v3xxr).
Can some one describe the steps to open it?

I went till Selecting processor type as ARMB. After that got stuck in the select ROM bytes part.

EDIT : Never mind.. I opened it.

Shall I keep this stuck? Doesn't look like this is living :(

Do not unstick it. Rome wasn't made in one day.

How actually was RSA bypassed on V3x? I remember there were only edits in CG1.

I'll ask to the.C0r3 about it. We need to bypass this one.

I'm just curious but do you still have one of the Cor3's tests flashes? Just want to know what he was exactly attempting to do.

Oh yes, I have them all.

Can you upload one which booted up and the last one?

OK, I'll upload them right away.

Don't forget on me :)

Sorry for the late reply, been busy these days.

Here (http://russoeternal.motoevolution.net/drop/rsahack/) i uploaded the 2 files which worked, when i say worked, i meant, i got no bootloader mode and turned on fine, but RSA stills there.

Thanks. Can you upload one which did not work? (With modded CG0 or CG1.)

Bump!

I don't have a MAXX, but I've been following this thread with interest. Any news?

Not yet sir, as fas as i know, there's a procedure which works like the L9 procedure, but we don't have it on our hands, we are still waiting for it.

Ah, so you can remove RSA but only start the phone with a computer?

Maybe, i don't know exactly cause Gandjafuzz is not replying, that's what he told me once, but after that, no reply of him.

Hope he replies soon, coz we are all waiting for it !

Moved to general forum.

Thanks man.

Maybe, i don't know exactly cause Gandjafuzz is not replying, that's what he told me once, but after that, no reply of him.

Where's the development on this happening? Motofan? Somewhere else?

I think it's only motofan...I've been looking around.

Is there an RSA crack for the V9X yet? Thanks. Find this thread fascinating, but not sure I understand it all yet!

Not yet.

What's the purpose of CG7 and CG18 for the Argons ? Or does no one know lol

CG7 - unused.
CG18 - digital signature.

This is a pretty interesting thread - has anyone dumped the Argon IROM?

No sir :( would you like to help us ?

No sir :( would you like to help us ?

Well, I can certainly have a play with it - although I need to get an Argon based phone first. I would guess that the security features on Argon are similiar to the ones on the i.MX31 - and I have the docs for those somewhere, so that might provide some leads.

Amazing ! any help will be appreciated. :D

You can dissasemble the CG's and Bootloader using IDA and setting the processor to ARMB (i think...) Skrilax_CZ would know more about this for sure, you can speak to him for further details.

You can dissasemble the CG's and Bootloader using IDA and setting the processor to ARMB (i think...) Skrilax_CZ would know more about this for sure, you can speak to him for further details.

I think he was the guy that posted the .idb file for the bootloader earlier in the thread - he did a nice job of identifying what the code is doing. I've had a look at it, and can't see any obvious holes in the signature verification :(

Hopefully someone can find something, noRSA on P2K05 would be a great achievement, these phones are amazingly fast but the OS stock is just not worth a darn, and the only mods are pretty much only seem mods and skins... I guess i could help in the testing process if a patch is started but i cant help in the actual patching as im no coder :(

I suppose this should be directed to russoeternal since his id appears in the guide at the beginning of the thread. I am interested in the work that all of you are doing here. I am new at this site and new to modding. If I can help let me know. I don't have a lot of time per week to spend, but some is better than none-yes? I have a v3xx which by the info on this board is a p2k05 unit and so what you appear to be doing looks as though it is close to what I am looking for. I have experience with x86 opcode and c . I would need detailed hardware info and since you're working on a v6 I would need a dump of the boot code and a dump of the os. I have access to the tech refs at ARM and so can get cpu info there, although if you have the links handy , I can save some time by not having to sort through their site. Thanks to everyone in this thread for their participation.

CG7 - unused.
CG18 - digital signature.

Are you sure? Not sure if there are CG7 differences between MAXX and V3xx, but it seems like my V3xx CG7 is 131,072KB...couldn't there be ANY data in it? Also, for Ghits and Siggles, i modded the V3xx .prof to be able to back up PDS and BOOT so, is there any significant data in either?

The addresses on the V3XX.prof are wrong, if you just deleted the ";".

Really? hmmm... im out of ideas.

still reading :)

what about this > http://wiki.howardforums.com/index.php/SHX_File_Modding_Guide#Signature_BIN

sorry for noobish questions :)

if this is done one day will it works for V3xx ???

Yes, that should work on V3XX.

but how to make a bypass ?