breaking DX news

[anon(19758)]

when it says "OMAP secure bootrom: secure", with "secure" highlighted in red, what does that mean? Is that bad?

It's "bad" for the people that believe (as I do) that once you purchase a device, it's yours to tinker with as you will. From what I gather, this news gives ROM developers a way around that, so that we can get true custom ROMs on our phones.

These keys are only for installing custom roms that replace the kernel. Otherwise, these keys are useless. So unless you are a developer, don't worry about this at all

I'm not worried, I'm frickin' excited! I have high hopes for CM7 on my X

 

[Leif]

@SYL: Meh, I know. And I do want to replace the kernel, as this one (afaik) doesn't support ext4. Why? I want to put a linux distro on it. Why? Because I can.

 

[SYL]

It's "bad" for the people that believe (as I do) that once you purchase a device, it's yours to tinker with as you will. From what I gather, this news gives ROM developers a way around that, so that we can get true custom ROMs on our phones.

In this case, it is possible therefore to get a complete rom, say cyanogenmod running, with the custom kernel and everything? It will be identical to a phone without a bootloader? No downsides or limitations? If so, how can it be bad? you have the key

 

[Bushido Brown]

What I always found funny, was that Motorola's official statement on the bootloader encryption topic was that they did it to "protect" their software. but anyone who gives a damn wants access so they can RID of Moto's software.

Anyway, I wasn't too concerned about having an altered kernel. but I would be pretty happy if this hastens a port of MIUI, screw CM7.

 

[dvader]

updated again
Sholes signing key leak explained

The Motorola(r) sholes platform uses a trusted bootloader environment. Signatures are stored as part of the CDT stored on the NAND flash. mbmloader verifies the signature on mbm before passing control. mbm verifies all other signatures before allowing the device to boot.

There is a vulnerability in the way that Motorola generated the signatures on the sections stored in the CDT. This vulnerability is very simple. Like on the PlayStation 3, Motorola forgot to add a random value to the signature in order to mask the private key. This allowed the private key and initialization vector to be cracked.

The keys can be cracked using Mathematica. Read up on how the Elgamal signature scheme works.
TL;DR: k = s - sha1sum(data)

Above formula will yield signing keys on vulnerable phones due to motorola botching their signing keys.
Keys

Not placed here due to Motorola legal.
Ok, what does this mean?

Please refer to the following table:
Boot chain component Status
OMAP secure bootrom secure
Secure keystore replaceable (this CG must be signed by motorola's key)
mbmloader secure, but irrelevant
mbm secure, but irrelevant, replaceable but unnecessary
recovery replaceable (signable by anything in keystore)
system replaceable (signable by anything in keystore)
bootimage replaceable (signable by anything in keystore)

I do not plan on doing any more work on this. But all information has been handed over to people who are working on this. Follow the FreeMyMoto people for their progress.

In theory, creating a packed SBF to update keystore and replace recovery should work without bricking your phone. My advice: do not replace mbmloader as that is dangerous. An earlier version of this advisory marked it as replaceable, I have decided to remove this claim as I cannot presently think of a way to do it safely.
Notes to recovery authors

Your recovery must update the signatures on the Codegroup Descriptor Table (CDT). If it does not, your recovery will brick the phone if you attempt to flash a custom ROM.
Notes on similar non-sholes platforms

I do not know if the information in this advisory is related to those phones or not. In general, anyone trying anything with the information in this advisory is doing so at their own risk.
Advisory history

* December 20th, 2010 — Motorola notified of keystore vulnerability. No response received from Motorola.
* February 20th, 2011 — Motorola notified again of keystore vulnerability. No response received from Motorola.
* February 27th, 2011 — Motorola notified that keystore vulnerability will be disclosed to public on March 20th. No response received from Motorola.
* March 20th, 2011 — Keystore signature generation vulnerability publically disclosed including private key leak. Response received from Motorola legal.

 

[.46caliber]

Ren and Stimpy suddenly came to mind....

HAPPY HAPPY JOY JOY, HAPPY HAPPY JOY JOY

 

[anon(19758)]

.46caliber, your signature just became awesomely ironic. Congrats on that.

 

[Ahowe125]

Good news considering the only ROM that really looked interesting was CM7, and I cant have it on my X.. YET! If this does in fact change how devs make stuff for the droid X, then I'm going to give it a try. Until then, I'll hang out with my stock rom.

 

[Leif]

Good news considering the only ROM that really looked interesting was CM7, and I cant have it on my X.. YET! If this does in fact change how devs make stuff for the droid X, then I'm going to give it a try. Until then, I'll hang out with my stock rom.

It's more of the principle of the matter. (Also, those of us who like cryptography find it fascinating for purely mathematics sake).

 

[Dperks17]

Woah Congrats. Hope cm7 comes soon for the moto users that have been waiting for so long!

 

[digitalslacker]

I guess it's worth saying that while this is very cool for sure...we still don't know exactly what it will end up meaning.

Not trying to rain on the parade, but there hasn't been any indication from the CM team that this changes anything for the DX...at least not that I have seen. If that's not the case please correct me.

I would agree that this does make that more likely than it was yesterday morning though. But I'm not getting my hopes up until we see how this whole thing shakes out.

 

[jerseyboy357]

It's more hype for us to look forward to. The only credibility so far it has is that it is spreading like wildfire online and AC has an article about it. Time will tell.

 

[.46caliber]

I guess it's worth saying that while this is very cool for sure...we still don't know exactly what it will end up meaning.

Not trying to rain on the parade, but there hasn't been any indication from the CM team that this changes anything for the DX...at least not that I have seen. If that's not the case please correct me.

I would agree that this does make that more likely than it was yesterday morning though. But I'm not getting my hopes up until we see how this whole thing shakes out.

We know what it means, what we don't know yet is what the devs will do with it.

We know that it is now possible for the Cyanogen team to bring their ROM over to the DX as they built it. Up until now, the only way we would have gotten it was if their ROM was separated from their kernel and built around the signed Moto kernel.

Whether or not Cyanogen does put out an official release remains to be announced/seen, but the probability went up immensely. One of the Cyanogen devs, cvpcs, has been saying for some time now that he wanted to bring some version of Cyanogen to the DX, and as I understand had actually been working on it. Now, the game has changed. It may no longer be just a side project for cvpcs, but it could be a supported CM device.

I could see Cyanogen steering away as they already have quite the wide coverage of devices, or they may stay away on principle, or even for fear of legal recourse. Only time will tell. The technical roadblock has been blown wide open. The question is no longer "can they do it," it's "will they do it?" I don't know about you, but I'd much rather be asking the second.

 

[digitalslacker]

I could see Cyanogen steering away as they already have quite the wide coverage of devices, or they may stay away on principle, or even for fear of legal recourse. Only time will tell. The technical roadblock has been blown wide open. The question is no longer "can they do it," it's "will they do it?" I don't know about you, but I'd much rather be asking the second.

And the legal thing was really the point I was trying to get at. We know MOTO has responded to this but I haven't seen that response yet. We also don't know how aggressive they'll go after folks who make use of this exploit.

Depending on how cracking the bootloader works in the end and how MOTO approaches the legal thing, this may not be something CM wants to get involved in. But I don't speak for them. Just an observation and trying to keep things in perspective is all.

I completely agree with your point about preferring to ask the "will they do it?" question. Things are better today for the DX community because of this. I can't argue with that.

 

[.46caliber]

There was a previous case, maybe Geohot v. Apple or Geohot v. Sony, that has set precedence, in our favor. This is my understanding, I haven't done my homework yet.

No matter how things go, I'm optimistic. And everytime I read my signature I can laugh a little harder.

Edit:

Geohot v. Sony is currently on going over the PS3 hack. I don't know much about the Apple case.

 

[sicario666]

This is good news for sure. It'll extend X life quite a bit

TBolt meatclaws via talktap

 

[thebizz]

Shoot this has implications for more than just the x from my knowledge its being used on the x but could work with any of motorola's signed encrypted phones

 

[davidnc]

Im going to wait and see , ha . Dont wana get my hopes up to high just to be dashed. HA .

If it happens I will consider it a early Christmas. Christmas in the spring !

 

[db306#AC]

Ultimate Droid just tweeted that "Today is going to be an exciting day!"

 

[jerseyboy357]

Let's just hope this doesn't turn into a Sony vs Geohotz situation which then turned into Sony vs The World and all its inhabitants.
For those of you that don't know, a "hacker" from Jersey found a way past the PS3 keys and allowed installation of 3rd party software and the ability to read/write "pirated copies" of data, and then posted HOW TO on his site for the whole digital world to see. Sony then flexed their muscles and wanted IP addresses of everyone that went to Geo's site, deletion of all places that were hosting the info, etc. It's a big mess in gaming.
So latest is Sony released update 3.60(3.55 was the official jailbreak), which in turn within a week, was jail broken too. Many say Sony should face it, no matter what they do, someone out there is still going to find a way to get/do what they want. The adage of, "I bought it, its mine" sticks out as the main defense, similar to what we are going thru with Moto and the CM7 ordeal.
So I guess overall, we could crack the locked boot loader, never tell anyone, and never install anything because of being able to unlock it. Then it would be OK in Moto's eyes. But really, they know that isn't what is going on. They know we are going to get what we want on our devices. So a rally cry would be...Hey Motorola, these are OUR devices! Or stay with stock set ups. To the owner goes the choice.