Milestone - vulnerability hunting - latest news

Dieses Thema im Forum "Root / Hacking / Modding für Motorola Milestone" wurde erstellt von XVilka, 20.09.2010.

  1. Hi all!
    This is an latest news of milestone (and now not only milestone ) Here is a list of researched phones:

    Motorola Milestone (our primary target)
    Motorola Milestone 2
    Motorola Droid
    Motorola Droid X
    Motorola Droid 2
    Motorola MOTOROI/Milestone XT720
    Motorola Sholes Tablet XT701
    Motorola Titanium XT800
    Motorola Ruth ME511 aka. Flipout

    1. We now have two ways - 2ndboot and vulnerability hunting.

    I'm mostly working on Reverse Engineering of bootloaders and baseband parts.
    Latest IDA databases can be found here reversed in droid-developers - Gitorious

    Yakk mostly working on 2ndboot attack and modem init problem - see here droiddev / 2ndboot / overview —

    SergeyZh mostly working on display init/working:

    Kholk mostly working on crypto researching :

    Skrilax_CZ and nothize working on OpenRecovery : openrecovery in Motorola Droid-family Platform Research - Gitorious

    2. For those, who want to change CH table (CHSETTINGS, CHRAM, etc ) - this table dont contain any security settings! Only some (sometimes not needed) hardware preconf. And i'm want warn: if you change CH table - you 80% gurantee brick your phone without reflashing chance!

    3. Also main news - TI OMAP3/4 platform not really secure, as they described in white papers: all TrustZone and Mobile Trusted Module specification are not implemented as hardware modules - it's only an software emulation. When OMAP is started - it have two Boot ROMs - one (Secure Boot ROM - 80Kb ) and two - usual Boot ROM - 32Kb. Same partitioning for the Secure On-Chip RAM. And mbmloader also contain some Secure Handlers, which calls, when you call some secure function from user space. So OMAP3 M-Shield With SMC (Secure Middleware Component) works as hyperthreading cores in Intel processors: one tick - secure world, next tick - usual (not so simple, but similar).

    Next news - we dont have stored in eFuse all 2048bit RSA key - in eFuse stored only SHA1 hash, and nothing more (eFuse too hard for store a big count of bits).

    And also L3/L4 firewall which used for managing secure/insecure world and also memory access is also configurable thing - it can be changed conf to access all memory regions, as we suppose.

    See the Security page:

    So, if someone want to help - we hope see you in our team :)

    This project not dead now! And we growed to be more and more then only milestone crack. We have plans to make free not only android part of our phones, but also BaseBand part - like in Osmocom-BB project.

    If you have any questions - we happy to give answers for you! :cool:

    booting process described here:
    andry, invd, Necrophorus und 8 andere haben sich bedankt.
  2. #2 Lubomir, 20.09.2010
    Zuletzt bearbeitet: 20.09.2010
    WOW, GREAT!!! Would be wonderful to see next an milestone working as an USRP :drool: (if possible)

    Does that mean that the pw can be bruteforced realy quick??? Because bruteforcing SHA1 is way more easy then 2048bit RSA :smile:
  3. #3 Necrophorus, 20.09.2010
    This is good news indeed! I already read about brute forcing the key and I would dedicate my notebook to it as a BOINC-Client, as soon as the server is up and running! Keep up your good work!

Diese Seite empfehlen