1. Nimm jetzt an unserem Uhans - 3. ADVENT - Gewinnspiel teil - Alle Informationen findest Du hier!

Milestone - vulnerability hunting - latest news

Dieses Thema im Forum "Root / Hacking / Modding für Motorola Milestone" wurde erstellt von XVilka, 20.09.2010.

  1. XVilka, 20.09.2010 #1
    XVilka

    XVilka Threadstarter Junior Mitglied

    Beiträge:
    35
    Erhaltene Danke:
    100
    Registriert seit:
    06.03.2010
    Phone:
    Motorola Milestone
    Hi all!
    This is an latest news of milestone (and now not only milestone ) Here is a list of researched phones:

    Motorola Milestone (our primary target)
    Motorola Milestone 2
    Motorola Droid
    Motorola Droid X
    Motorola Droid 2
    Motorola MOTOROI/Milestone XT720
    Motorola Sholes Tablet XT701
    Motorola Titanium XT800
    Motorola Ruth ME511 aka. Flipout

    1. We now have two ways - 2ndboot and vulnerability hunting.

    I'm mostly working on Reverse Engineering of bootloaders and baseband parts.
    Latest IDA databases can be found here reversed in droid-developers - Gitorious

    Yakk mostly working on 2ndboot attack and modem init problem - see here droiddev / 2ndboot / overview — bitbucket.org

    SergeyZh mostly working on display init/working: https://new.droid-developers.org/wiki/Display_Subsystem

    Kholk mostly working on crypto researching : https://new.droid-developers.org/wiki/Crypto

    Skrilax_CZ and nothize working on OpenRecovery : openrecovery in Motorola Droid-family Platform Research - Gitorious

    2. For those, who want to change CH table (CHSETTINGS, CHRAM, etc ) - this table dont contain any security settings! Only some (sometimes not needed) hardware preconf. And i'm want warn: if you change CH table - you 80% gurantee brick your phone without reflashing chance! https://new.droid-developers.org/wiki/CH

    3. Also main news - TI OMAP3/4 platform not really secure, as they described in white papers: all TrustZone and Mobile Trusted Module specification are not implemented as hardware modules - it's only an software emulation. When OMAP is started - it have two Boot ROMs - one (Secure Boot ROM - 80Kb ) and two - usual Boot ROM - 32Kb. Same partitioning for the Secure On-Chip RAM. And mbmloader also contain some Secure Handlers, which calls, when you call some secure function from user space. So OMAP3 M-Shield With SMC (Secure Middleware Component) works as hyperthreading cores in Intel processors: one tick - secure world, next tick - usual (not so simple, but similar).

    Next news - we dont have stored in eFuse all 2048bit RSA key - in eFuse stored only SHA1 hash, and nothing more (eFuse too hard for store a big count of bits).

    And also L3/L4 firewall which used for managing secure/insecure world and also memory access is also configurable thing - it can be changed conf to access all memory regions, as we suppose.

    See the Security page: https://new.droid-developers.org/wiki/Security

    So, if someone want to help - we hope see you in our team :)

    This project not dead now! And we growed to be more and more then only milestone crack. We have plans to make free not only android part of our phones, but also BaseBand part - like in Osmocom-BB project.

    If you have any questions - we happy to give answers for you! :cool:

    booting process described here: https://new.droid-developers.org/wiki/Booting_chain
     
    andry, invd, Necrophorus und 8 andere haben sich bedankt.
  2. Lubomir, 20.09.2010 #2
    Lubomir

    Lubomir Android-Lexikon

    Beiträge:
    1,311
    Erhaltene Danke:
    194
    Registriert seit:
    26.03.2009
    WOW, GREAT!!! Would be wonderful to see next an milestone working as an USRP :drool: (if possible)


    Does that mean that the pw can be bruteforced realy quick??? Because bruteforcing SHA1 is way more easy then 2048bit RSA :smile:

    http://www.golubev.com/hashgpu.htm
     
    Zuletzt bearbeitet: 20.09.2010
  3. Necrophorus, 20.09.2010 #3
    Necrophorus

    Necrophorus Android-Hilfe.de Mitglied

    Beiträge:
    77
    Erhaltene Danke:
    27
    Registriert seit:
    28.06.2010
    This is good news indeed! I already read about brute forcing the key and I would dedicate my notebook to it as a BOINC-Client, as soon as the server is up and running! Keep up your good work!
     

Diese Seite empfehlen