Published at: 12:08 pm - Tuesday August 17 2010
Since the last post our team, Unrevoked, has managed to go through about 4 different manors in which to execute our exploit in order to find a safe and reliable way to accomplish the hack without giving away what we are doing. In the end, we released a update.zip payload that manages to S_OFF the device natively from the radio without needing to hack a hboot or have other dangerous things.
XDA-Developers forum has gone downhill quite a bit, in just less than 12 hours after our release post they managed to completely remove our thread due to “unrelated” posts from others in our thread instead of just cleaning them up. Of course this prompted me to ask some questions which did/didn’t go over too well based on how you look at it. Needless to say I have not posted at XDA since and don’t know if I ever will again. The other team members may pick up where I left off, that remains to be seen.
Attacking the new 2.2 release is proving difficult. While there might be a few things to look at here and there, HTC has considerably closed up the holes they became so good at handing to us. We will want to wait for the incredibly official release before anything specific will come out regardless.
GSM security off has proven much more difficult than the cdma counterpart and we currently have not released any support for s_off’ing those devices.
Published at: 09:07 pm - Friday July 16 2010
I’m not going to say more…
A picture is worth a thousand words…
Published at: 01:06 pm - Friday June 25 2010
Well we released the tool here, and already today we are adding a new device to support, the HTC Aria. Again rooted via the same recovery adbd race they too can benefit from a easy way to get back in to flash roms at will. We will be adding a FAQ to the unrevoked site as well in order to answer some common questions about the process.
http://unrevoked.com/recovery/
In other news, we also still intend to hopefully push a method which will greatly simplify getting root on the newer secure devices using another kernel exploit. While it’s in progress and we have seen it work on desktop machines, and even the android emulator, the phones remain resistant so far. Hopefully we will get this taken care of.
We also have a intent to release a full nand unlock (as opposed to the temporary unlock we use to flash this recovery) which will manifest via a hboot flash. Being a much riskier thing, we are trying to cover ourselves completely before bricking devices testing this.
Published at: 01:06 am - Sunday June 20 2010
So we managed to get nand unlocked using some special magic and have written up a little recovery reflash tool for the evo, incredible, and desire (if they help us test it) and should be releasing soon.
Published at: 12:06 am - Wednesday June 02 2010
Check out our team’s release site:
http://www.unrevoked.com/
Published at: 04:05 pm - Saturday May 29 2010
We are slowly progressing through all possibilities on the incredible root process. It’s just pretty decently well done, no simple mistakes we could take advantage of like the evo. A kernel exploit may prove to be the only way here, and we do have progress toward that end, but would like to find another way in. While I’d rather not point directly to what we are persuing, I will point out what we know won’t work:
1) Previous exploits of course are long since patched. This is to be expected.
2) installd is pretty darn nicely done. I’ve spent a good while digging through it and I can tell ya it checks for directory traversal’s, uid/gid escalations, and drops privs before any shell work. In short, I don’t think we’re getting anywhere with this.
More to come…
Published at: 07:05 am - Monday May 24 2010
So as most of you know the evo root has been found. No I’m not going to disclose anything until the device is released or others from the team feel it’s time and release first. Basically we were working on a universal root method and got extremely luck with the Evo having a nice entry point. It’s not going to work on other devices except for a few that already have root.
Published at: 12:05 am - Wednesday May 19 2010
I guess I owe you guys another update about now. There are certainly several of us working on this at this point and we are starting to all come together on various ideas. Currently we have a few know bugs that needs to be properly exploited in addition to some interesting other tidbits we might use to get around partition security. Stay patient…
Published at: 09:05 pm - Thursday May 13 2010
Ok, so I haven’t updated on this in a while and figured I should. The exploit I was going after apparently didn’t exist, I missed the check which rendered that attack useless. The next attack is the fastboot vector mentions elsewhere on the web the last several days. However so far I don’t see where he got his data from about that being exloitable. I can’t find sourcecode to anything but the client/pc side app. And those obviously can’t tell us what the phone side does. Provided he’s right we’d need to modify the pc app to send more then the safe limit and figure out where our code dumps to and how many bytes we have to work with.
There is also the potential to bruteforce the RSA signing key with a distributed attack via boinc. I haven’t looked too far into what keysize they used but if it’s within reason, that could be a good solution as well.
Loading ...