• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root Porting ClockWorkMod to the Kyocera Rise

Jump to latest Follow Reply
Sort by date Sort by votes
#706
mel4787 said:
just got an email from kyocera and this is what they said:

Let me share you a little piece of information that most of our customers does not know. The main reason on why we don't provide the codes to unlock the bootloader of the phone are that we as agents, we don't have access to that information at all in our system, and the other main reason is that we only manufacture the phones based on what the service providers request the phone to be.

So, unfortunately I am not going to be able to assist you with the unlocking part for the bootloader on the phone.

how can we go about this with the bootloader if they dont have that type of info in their computers or is it another run around?
Click to expand...

I also got an email from Kyocera earlier
Thank you for contacting Kyocera Communications Inc. This message is in response to your email regarding the information about the bootloader unlock.

Let me share you a little piece of information that most of our customers does not know. The main reason on why we don't provide the codes to unlock the bootloader of the phone are that we as agents, we don't have access to that information at all in our system, and the other main reason is that we only manufacture the phones based on what the service providers request the phone to be.

So, unfortunately I am not going to be able to assist you with the unlocking part for the bootloader on the phone.
Click to expand...

The service providers wouldnt request it to be locked (they probably think of other networks).

imma call and ask for the manager at some point. but honestly, the agents are liars in my opinion
 
Upvote 0
#708
mel4787 said:
remember if you do try you could end up with a brick. and the extra security we cant even find in these phones. i wonder how these companies add security to these phones. if i knew how they did that then i could say something more on this. its not like we can build a bootloader from the ground up and flash it with adb
Click to expand...
Well, we could build a bootloader, but it would take even longer than it would take to decompile the existing bootloader.

kman9637 said:
If somebody feels ballsy they could overwrite the bootloader partition with another bootloader and pray to the tech gods it somehow manages to start up. Im running out of ideas.
Click to expand...
It's been done, the phone was bricked. Not exactly sure why, probably because the bootloader is essentially split up onto different partitions, but only one partition was flashed.

mel4787 said:
ik how you feel. its just the security thats the true problem. we have root and can do what we need it to do. we just need to find someway to decrypt the security whych no one has found yet.
Click to expand...
We know where the security is, basically. It's in the bootloader. What's happening is there is the boot/recovery images are being checked against Kyocera's signing keys using RSA encryption. We could *possibly* decompile the bootloader enough to find said keys, but there is no guessing how long that would take. It could take a couple days if we got lucky, or it could take months of meticulous decompiling.

kman9637 said:
The service providers wouldnt request it to be locked (they probably think of other networks).

imma call and ask for the manager at some point. but honestly, the agents are liars in my opinion
Click to expand...
I'm not sure if you meant would or wouldn't, but the carriers do request it to be locked/not locked/encrypted/whatever. Either that, or they do it themselves.

mel4787 said:
ik. seems to me that they dont want that type of power to us. hmm is there a way to build cwm to match the checks the bootloader goes through? im wondering on that.
Click to expand...
Not that I'm aware of. I've heard of an exploit that causes the bootloader to skip the hash check when it loads the boot/recovery image, because there is a buffer overflow or something in the image header and then proceeds to boot normally. Not that we could really do that here in any case.
 
Upvote 0
#710
mel4787 said:
well i say build a bootloader that mimics the kyocera bootloader. but how many partitions are in the bootloader? we may need to decompile that to find the keys. it might be the only way. most of us have the patience for that. ik i am patient.
Click to expand...

Like I said, it would be quicker to decompile the bootloader to extract whatever the bootloader is using to check the hash of the images. This process is difficult at best, and very time consuming. If we had the keys, we could sign custom images to our hearts content. Of course, this is assuming it is possibly to extract the hashing method from the bootloader through decompilation.
 
Upvote 0
#713
rbheromax said:
does anyone know what this file is?
http://dev.dtalley11.com/rbheromax/qcattest.crl

it is SSL/TLS CRL (file type)

edit: and yes this is for the kyocera rise. it is on geotrust.com website hidden
Click to expand...

I get a 404. Are you sure it's in your ~/share folder?

I have not had the time to read through everything, but from what I read there still seems to be a bit of misunderstanding, so I'll try and get everybody on the same page.

A. The bootloader is unlocked
Yes/No... it's "Unlocked" on certain carrier's phones (the sprint version for example) but not on others, and it's not even really unlocked it just allows us to temperately boot an boot image without the image ever touching the emmc (Right from usb to ram)

B. X exploit will work? No? How about Y?
I doubt any known exploits will work at least as they are. rbheromax has done a great deal of research on this and isn't just saying that we'd have to decompile the bootloader just to get rsa keys. This sort of thing is why workarounds are used. As soon as I get my 3rd rise I'll get back into hacking it and see if I can get 2nd-init to work. To the end user who just wants Cyanogenmod, they will not know the difference between 2nd-init and a truly unlocked bootloader.

That being said, it's awesome that you guys are hounding kyocera on this, it's the best way to get the bootloader unlocked and even if we get a work around, an unlocked bootloader is always better. I bricked my 2nd rise by flashing sprint firmware to the VM rise.
 
  • Like
Reactions: morchus
Upvote 0
#714
dtalley11 said:
I get a 404. Are you sure it's in your ~/share folder?

I have not had the time to read through everything, but from what I read there still seems to be a bit of misunderstanding, so I'll try and get everybody on the same page.

A. The bootloader is unlocked
Yes/No... it's "Unlocked" on certain carrier's phones (the sprint version for example) but not on others, and it's not even really unlocked it just allows us to temperately boot an boot image without the image ever touching the emmc (Right from usb to ram)

B. X exploit will work? No? How about Y?
I doubt any known exploits will work at least as they are. rbheromax has done a great deal of research on this and isn't just saying that we'd have to decompile the bootloader just to get rsa keys. This sort of thing is why workarounds are used. As soon as I get my 3rd rise I'll get back into hacking it and see if I can get 2nd-init to work. To the end user who just wants Cyanogenmod, they will not know the difference between 2nd-init and a truly unlocked bootloader.

That being said, it's awesome that you guys are hounding kyocera on this, it's the best way to get the bootloader unlocked and even if we get a work around, an unlocked bootloader is always better. I bricked my 2nd rise by flashing sprint firmware to the VM rise.
Click to expand...

oops, wrong link

http://dev.dtalley11.com/rbheromax/qctattest.crl

and im looking to make something like loki (but not loki) for our devices. I skimmed thru ALL the partitions you dumped and noticed quite a few are zero'd out. there has to be a reason for that. also there isnt a fastboot function in aboot where it is supposed to be so i think the no fastboot thing is even deeper than we thought. The guy i was supposed to email, I somehow lost his email and he has been off the radar since late June. He holds several patents for Kyocera device specs?? and signed off on the bootloader. As soon as I can find the source kyocera used (im very very close)
to make the bootloader, I can read the clear text and make an exploit.
 
Upvote 0
#715
rbheromax said:
oops, wrong link

http://dev.dtalley11.com/rbheromax/qctattest.crl

and im looking to make something like loki (but not loki) for our devices. I skimmed thru ALL the partitions you dumped and noticed quite a few are zero'd out. there has to be a reason for that. also there isnt a fastboot function in aboot where it is supposed to be so i think the no fastboot thing is even deeper than we thought. The guy i was supposed to email, I somehow lost his email and he has been off the radar since late June. He holds several patents for Kyocera device specs?? and signed off on the bootloader. As soon as I can find the source kyocera used (im very very close)
to make the bootloader, I can read the clear text and make an exploit.
Click to expand...

Lets hope he forgets about that NDA he signed as well, huh?

I've seen this qctattest.crl, I think I pulled it out of one of the partitions
 
Upvote 0
#718
dtalley11 said:
B. X exploit will work? No? How about Y?
I doubt any known exploits will work at least as they are. rbheromax has done a great deal of research on this and isn't just saying that we'd have to decompile the bootloader just to get rsa keys. This sort of thing is why workarounds are used. As soon as I get my 3rd rise I'll get back into hacking it and see if I can get 2nd-init to work. To the end user who just wants Cyanogenmod, they will not know the difference between 2nd-init and a truly unlocked bootloader.
Click to expand...

Is there any way to figure out how exactly it's checking the images from decompiling the bootloader? If so, would we be able to use that to our advantage?
 
Upvote 0
#720
mel4787 said:
2 questions,

1) i heard someone opened up their rise, is there anything in it that we can plug into to reinstall the stock firmware and,

2)about the build prop, can you change the number on the android os to mimic a past os like changing 4.0.4 to 4.0.3 in the build prop?
Click to expand...

1. I didn't find anything, I mean it might take a more trained eye then my own but I highly doubt there was anything there

2. You can, it doesn't do much good though cause the OS acts the same way regardless it's just what it tells the users and tells other apps to expect. (often messes a few things up)
 
Upvote 0
#721
Well that sums that up. I asked the first question because on bricked devices. I heard of jtag and don't know if it could be used for anything besides returning to stock. Also on other locked devices with security like this how were they exploited is there a way to look at other devices and see on things like that? How was cwm on other locked phones ported? What exploits on those were discovered
 
Upvote 0
#722
mel4787 said:
Well that sums that up. I asked the first question because on bricked devices. I heard of jtag and don't know if it could be used for anything besides returning to stock. Also on other locked devices with security like this how were they exploited is there a way to look at other devices and see on things like that? How was cwm on other locked phones ported? What exploits on those were discovered
Click to expand...

These ideas we have been talking about practically the entire time did not come from thin air. Exploits are not the most documented thing about android but we've been trying to run through everything that has been done on other phones. Loki is currently the newest way that I know of which works with more than 1 device. If I were to explain every exploit used, it would be a very long thread of it's own, even just the ones I know about.

Well, I have not been successful unbricking my rises, if you find a way to do so then it will be news to me.
 
Upvote 0
You must log in or register to reply here.

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones

Best Android Phones

See All
  1. Google Pixel 8 Pro Check Price
  2. Samsung Galaxy S23 Ultra Check Price
  3. Samsung Galaxy Z Fold5 Check Price
  4. Google Pixel 8 Check Price
  5. Samsung Galaxy S23 Check Price

Upcoming

See All
  1. Samsung Galaxy S24 Early Access

Best iPhones

See All
  1. Apple iPhone 15 Pro Max Check Price
  2. Apple iPhone 15 Pro Check Price
  3. Apple iPhone 15 Plus Check Price
  4. Apple iPhone 15 Check Price
  5. Apple iPhone SE (2022) Check Price

Upcoming

See All
  1. Apple iPhone 16 Early Access

Tablets

Best Tablets

See All
  1. Samsung Galaxy Tab S9 Ultra Check Price
  2. Apple iPad Pro (2022) Check Price
  3. Apple iPad Air (2022) Check Price
  4. Apple iPad Mini (2021) Check Price
  5. Microsoft Surface Pro 9 Check Price

Upcoming

See All
  1. Apple iPad Air 6 Early Access
  2. Apple iPad Fold Early Access

Laptops

Best Laptops

See All
  1. Apple Macbook Pro Check Price
  2. Apple Macbook Air (2023) Check Price
  3. Dell XPS 13 Check Price
  4. Acer Chromebook Spin 714 Check Price
  5. Dell Alienware m18 (2022) Check Price

Upcoming

See All
  1. Microsoft Surface Laptop 6 Early Access
  2. Microsoft Surface Pro 10 Early Access

Televisions

Best TVs

See All
  1. Samsung The Frame TV Check Price
  2. Samsung Neo QLED 4K QN90C Check Price
  3. LG G3 OLED Check Price
  4. LG A2 OLED Check Price
  5. ROKU Plus Series Check Price
  6. Samsung S90C OLED Check Price
  7. SunBriteTV Veranda 3 Check Price

Upcoming

See All
  1. Hisense 110UX ULED X TV Early Access

Game Consoles

Best Game Consoles

See All
  1. Nintendo Switch OLED Check Price
  2. Microsoft XBOX Series X Check Price
  3. Sony Playstation 5 Check Price
  4. Microsoft XBOX Series S Check Price
  5. Nintendo Switch Lite Check Price

Upcoming

See All
  1. Nintendo Switch 2 Early Access

Wearables

Best Wearables

See All
  1. Oura Ring 3 Check Price
  2. Apple Watch Series 9 Check Price
  3. Google Pixel Watch 2 Check Price
  4. Samsung Galaxy Watch 6 Classic Check Price
  5. Fitbit Inspire 3 Check Price
  6. Amazfit Amazfit Band 7 Check Price
  7. Apple Watch SE Check Price
  8. Apple Watch Ultra 2 Check Price

Upcoming

See All
  1. Samsung Galaxy Watch 7 Early Access

Smart Home

Smart Home Tech

See All
  1. Amazon Echo (4th Gen) Check Price
  2. Schlage Encode Smart Lock Check Price
  3. Amazon Blink Smart Cameras Check Price
  4. Google Nest Thermostat Check Price
  5. Phillips Hue Smart Lights Check Price

Upcoming

See All
  1. Apple Homepod Vision Early Access

Similar threads

R
Help Recover Xiaomi Redmi Note 5 soft bricked with bootloader locked
Replies
5
Views
2K
Smartphones
FlorenceE
F
N
Help [SOLVED] HTC ONE M8 STUCK IN BOOT-LOOP
Replies
12
Views
5K
Smartphones
Hadron
Hadron
Mikesew1320
Help TECNO Camon 15 Air bricked/dead completely
Replies
7
Views
969
Ask a question
Mikesew1320
Mikesew1320
lebigmac
Root HOW TO ROOT SAMSUNG GALAXY S23 ULTRA WITH MAGISK
Replies
22
Views
15K
Smartphones
The_Chief
The_Chief
J
LG stuck in fastboot mode
Replies
0
Views
2K
Ask a question
Jaxsonz
J
Top Bottom
Back
Jump to latest Follow Reply
Jump to latest Follow Reply