X
XVilka
Neues Mitglied
- 109
Hi all!
This is an latest news of milestone (and now not only milestone ) Here is a list of researched phones:
Motorola Milestone (our primary target)
Motorola Milestone 2
Motorola Droid
Motorola Droid X
Motorola Droid 2
Motorola MOTOROI/Milestone XT720
Motorola Sholes Tablet XT701
Motorola Titanium XT800
Motorola Ruth ME511 aka. Flipout
1. We now have two ways - 2ndboot and vulnerability hunting.
I'm mostly working on Reverse Engineering of bootloaders and baseband parts.
Latest IDA databases can be found here reversed in droid-developers - Gitorious
Yakk mostly working on 2ndboot attack and modem init problem - see here droiddev / 2ndboot / overview — bitbucket.org
SergeyZh mostly working on display init/working: https://new.droid-developers.org/wiki/Display_Subsystem
Kholk mostly working on crypto researching : https://new.droid-developers.org/wiki/Crypto
Skrilax_CZ and nothize working on OpenRecovery : openrecovery in Motorola Droid-family Platform Research - Gitorious
2. For those, who want to change CH table (CHSETTINGS, CHRAM, etc ) - this table dont contain any security settings! Only some (sometimes not needed) hardware preconf. And i'm want warn: if you change CH table - you 80% gurantee brick your phone without reflashing chance! https://new.droid-developers.org/wiki/CH
3. Also main news - TI OMAP3/4 platform not really secure, as they described in white papers: all TrustZone and Mobile Trusted Module specification are not implemented as hardware modules - it's only an software emulation. When OMAP is started - it have two Boot ROMs - one (Secure Boot ROM - 80Kb ) and two - usual Boot ROM - 32Kb. Same partitioning for the Secure On-Chip RAM. And mbmloader also contain some Secure Handlers, which calls, when you call some secure function from user space. So OMAP3 M-Shield With SMC (Secure Middleware Component) works as hyperthreading cores in Intel processors: one tick - secure world, next tick - usual (not so simple, but similar).
Next news - we dont have stored in eFuse all 2048bit RSA key - in eFuse stored only SHA1 hash, and nothing more (eFuse too hard for store a big count of bits).
And also L3/L4 firewall which used for managing secure/insecure world and also memory access is also configurable thing - it can be changed conf to access all memory regions, as we suppose.
See the Security page: https://new.droid-developers.org/wiki/Security
So, if someone want to help - we hope see you in our team
This project not dead now! And we growed to be more and more then only milestone crack. We have plans to make free not only android part of our phones, but also BaseBand part - like in Osmocom-BB project.
If you have any questions - we happy to give answers for you!
booting process described here: https://new.droid-developers.org/wiki/Booting_chain
This is an latest news of milestone (and now not only milestone ) Here is a list of researched phones:
Motorola Milestone (our primary target)
Motorola Milestone 2
Motorola Droid
Motorola Droid X
Motorola Droid 2
Motorola MOTOROI/Milestone XT720
Motorola Sholes Tablet XT701
Motorola Titanium XT800
Motorola Ruth ME511 aka. Flipout
1. We now have two ways - 2ndboot and vulnerability hunting.
I'm mostly working on Reverse Engineering of bootloaders and baseband parts.
Latest IDA databases can be found here reversed in droid-developers - Gitorious
Yakk mostly working on 2ndboot attack and modem init problem - see here droiddev / 2ndboot / overview — bitbucket.org
SergeyZh mostly working on display init/working: https://new.droid-developers.org/wiki/Display_Subsystem
Kholk mostly working on crypto researching : https://new.droid-developers.org/wiki/Crypto
Skrilax_CZ and nothize working on OpenRecovery : openrecovery in Motorola Droid-family Platform Research - Gitorious
2. For those, who want to change CH table (CHSETTINGS, CHRAM, etc ) - this table dont contain any security settings! Only some (sometimes not needed) hardware preconf. And i'm want warn: if you change CH table - you 80% gurantee brick your phone without reflashing chance! https://new.droid-developers.org/wiki/CH
3. Also main news - TI OMAP3/4 platform not really secure, as they described in white papers: all TrustZone and Mobile Trusted Module specification are not implemented as hardware modules - it's only an software emulation. When OMAP is started - it have two Boot ROMs - one (Secure Boot ROM - 80Kb ) and two - usual Boot ROM - 32Kb. Same partitioning for the Secure On-Chip RAM. And mbmloader also contain some Secure Handlers, which calls, when you call some secure function from user space. So OMAP3 M-Shield With SMC (Secure Middleware Component) works as hyperthreading cores in Intel processors: one tick - secure world, next tick - usual (not so simple, but similar).
Next news - we dont have stored in eFuse all 2048bit RSA key - in eFuse stored only SHA1 hash, and nothing more (eFuse too hard for store a big count of bits).
And also L3/L4 firewall which used for managing secure/insecure world and also memory access is also configurable thing - it can be changed conf to access all memory regions, as we suppose.
See the Security page: https://new.droid-developers.org/wiki/Security
So, if someone want to help - we hope see you in our team
This project not dead now! And we growed to be more and more then only milestone crack. We have plans to make free not only android part of our phones, but also BaseBand part - like in Osmocom-BB project.
If you have any questions - we happy to give answers for you!
booting process described here: https://new.droid-developers.org/wiki/Booting_chain