Moto Hell - The Motorola Modding Community
November 21, 2024, 05:54:13 am *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: The forum is no longer active and registration is disabled; however you can still fetch everything as guest.
 
   Home   Help Facebook Search Calendar Login Register  
Pages: [1]   Go Down
  Print  
Author Topic: KILL RSA at Motomagx phones, tested and working on the V8, E8:)  (Read 13703 times)
hobbit19
Guest
« on: December 28, 2008, 07:24:33 am »

http://forum.motofan.ru/index.php?showtopic=157514

So, I finally found a hole in zagruzchike motomagx phones, which allows the phone to run unsigned AP-firmware

Caution: If you want to do what is described here with their phones - you do so at your own risk .. I am not responsible for the deaths your phone ..

A bit of theory
Hole surfaced in zagruzchike irom-BP. When the phone is switched on bottles (mbm AP-part) first loads into RAM bp-loader and passes BP team perform bp-loader. irom-loader BP checks signature bp-loader, and if it all right - sends execution bp-loader'u. The important point - just before the signature irom loader BP checks the header bp-loader pointer to a certain structure and if this is a pointer - parses the structure .. This structure, in addition to title, contains a set of addresses and values; irom-loader records in each of the addresses (if the address in his view correct) the appropriate value .. Thus it is possible to complete the structure itself and shift to the BP work on "otpatchivaniyu" Bhutan AP (AP bottles are currently loaded into operativku, his signature has been tested before, and he awaits a response from BP, which bp-loader tested signature) .. In doing so, the very structure can arrange for the signature and it is leading title describe patch bp-loader to the starting point to properly check the signature took place ..
Necessary additions to the bp-loader:
Place the signature bp-loader structure following format:
The first four bytes from the beginning of the structure - 0xB17219E9 - constant, which verified the correctness of the structure.
The four bytes - the size of the structure (must be a multiple of eight, but not more than 256).
Next to the list of addresses and values (four bytes at the address and four - on the meaning).
In the title bp-loader should be a pointer to this structure (four bytes at +0 x14 from the start bp-loader) and a pointer to this index  (at +0 x08 from the start bp-loader) .. Accordingly to bp-loader tested signature - will need to return the title to the original mind (usually in these fields zeros) and therefore the first patches described in the structure - is precisely the recording of zeros in these fields .. Then follow the patches that need to be applied to ap-Bout ..
After several experiments, I received a minimal set of patches Bout who led that the phone agrees to work with unsigned firmware for Butov 06.a3 (e8) and a3.cf (v8) - phones that "dozhili" until victory ..
Patches depend on a version of Buta, when you install the wrong patch, or correct, but no Bout version sootvetstvuschih - get the corpse. I already is killed z6 - it tried earlier versions of patches, which I did not take into account some checks in Buta, from dimichxp -- e8 killed. Would restore these phones - the big question ..
Well, the basic things like all wrote enclose received Buta you want to ask the phone if your phone version Bout coincides with one of these .. While even the same - think again whether you still need it))

If a man takes to port it to other versions Butov / phones - keep in mind that you need to be very careful and recheck all that do attempt is likely to be only one!

(c) yakk
Logged
tuyie78
Guest
« Reply #1 on: December 28, 2008, 09:38:43 am »

tested work on my e8 boot 06a3 Smiley..thanks to yakk from motofan also hobbit19++
Logged
huatz84
Guest
« Reply #2 on: December 28, 2008, 06:59:33 pm »

The description seems confusing.It'd be great if someone can give a clear explanation.I'd like to test it.
Logged
arctu
Guest
« Reply #3 on: December 29, 2008, 12:44:05 am »

Hmm.. So.. we modify the bootloader. That means, if I have bootloader 06a3 (e8) and I flash the file tuyie78 posted, I'll have my E8 free from RSA?
Logged
tuyie78
Guest
« Reply #4 on: December 29, 2008, 01:54:28 am »

Yes arctu
Logged
jhona72
Guest
« Reply #5 on: December 31, 2008, 12:04:05 pm »

tested in z6... boot a3.cc
Logged
nobody
Guest
« Reply #6 on: March 08, 2009, 02:45:56 am »

sounds good!
future seems bright!
Logged
Exploited
Administrator
Ultimate modder
*****

Karma: 109
Offline Offline

Posts: 5153



View Profile WWW
« Reply #7 on: March 09, 2009, 10:51:07 pm »

helen490 - please do not post links to content, unrelated to the subject of the post
Logged

navimoto
Guest
« Reply #8 on: March 16, 2011, 02:19:17 pm »

hi friends please help me my rokr e8 is stuck wit the bootloader 0.6aa. Please help me please
Logged
Pages: [1]   Go Up
  Print  
 
Jump to:  

Design By Forum Hosting
Powered by SMF 1.1.21 | SMF © 2015, Simple Machines