akillys

Member
Apr 1, 2010
54
0
35
why can't developers or anyone make a flash rom like 2.1 leaks that would give us a different bootloader on a different rom. If the leak could accomplish this why cant a home brew rom.
 
The phone has a security feature in place to prevent this. Any ROM updates (like the leaks) must be digitally signed with HTCs private key. If even one byte changes from the original ROM, the signature is broken and the phone will refuse the update. Root was achieved through a special leaked engineering ROM that already had root privileges. Since this was ROM was created by HTC, it had a valid signature.

Once root is achieved, the restrictions can be removed or bypassed.
 
The phone has a security feature in place to prevent this. Any ROM updates (like the leaks) must be digitally signed with HTCs private key. If even one byte changes from the original ROM, the signature is broken and the phone will refuse the update. Root was achieved through a special leaked engineering ROM that already had root privileges. Since this was ROM was created by HTC, it had a valid signature.

Once root is achieved, the restrictions can be removed or bypassed.
I have no idea what im talking about, so bear with me, but is there a way to "reverse engineer" the signature from the root rom? it sounds like a simple problem to an idiot like myself, but i figured there is some sort of secret dev lab slaving day and night to find a way.
 
1 + also why cant someone create a rom that would bypass the signature sorry if this is the same question I asked before I'm new to this
 
Also another question I have is could I update to the froyo that is barley running and be able to obtain root that way then switch roms so that the phone would then work.
 
I have no idea what im talking about, so bear with me, but is there a way to "reverse engineer" the signature from the root rom? it sounds like a simple problem to an idiot like myself, but i figured there is some sort of secret dev lab slaving day and night to find a way.

In a word, No.

The RSA public key that is used for signing (see releasekey.x509.pem in /system/etc/security/otacerts.zip) is 2048 bits long.

A team cracked a 768-bit key, RSA-768 late last year - 18 years after the key was announced as part of RSA's RSA Factoring Challenge in 1991. They used the equivalent of more than 1500 cpu-years of computational power to achieve this result. Note that the keyspace of RSA-2048 is larger than that of RSA-768 by 2**1280 or 2.0e+385. We're talking timescales that defy imagination - vastly longer than the age of the universe.


akillys said:
1 + also why cant someone create a rom that would bypass the signature sorry if this is the same question I asked before I'm new to this

Well, to run that ROM, you would need to install it on the phone, wouldn't you? And the only way to "come through the front door" to get a ROM installed on the phone is for it to be signed correctly. See where this is going?

akillys said:
Also another question I have is could I update to the froyo that is barley running and be able to obtain root that way then switch roms so that the phone would then work.

See the answer to the previous question. If you have already owned the phone to the point that you can load whatever software you want on it, then what exactly would be the point of loading a non-rooted ROM so that you could attempt to root it? That's sort of like breaking into a house with an open window on the first floor, and then locking up everything up on the second floor, and going outside with a ladder to try and break in to the second floor - while the first floor is still unlocked. Huh?

eu1
 
  • Like
Reactions: LiverpoolsNo9
In a word, No.

The RSA public key that is used for signing (see releasekey.x509.pem in /system/etc/security/otacerts.zip) is 2048 bits long.

A team cracked a 768-bit key, RSA-768 late last year - 18 years after the key was announced as part of RSA's RSA Factoring Challenge in 1991. They used the equivalent of more than 1500 cpu-years of computational power to achieve this result. Note that the keyspace of RSA-2048 is larger than that of RSA-768 by 2**1280 or 2.0e+385. We're talking timescales that defy imagination - vastly longer than the age of the universe.

Well, to run that ROM, you would need to install it on the phone, wouldn't you? And the only way to "come through the front door" to get a ROM installed on the phone is for it to be signed correctly. See where this is going?

See the answer to the previous question. If you have already owned the phone to the point that you can load whatever software you want on it, then what exactly would be the point of loading a non-rooted ROM so that you could attempt to root it? That's sort of like breaking into a house with an open window on the first floor, and then locking up everything up on the second floor, and going outside with a ladder to try and break in to the second floor - while the first floor is still unlocked. Huh?

eu1

With this in mind, what is hindering the progress on the leaker side of things? Is the protection hard coded in the bios looking for specific signatures for each progressive iteration? Since I am running V2, my bios should be reporting that I have a previous version and allow a signed upgrade, right?

I suppose a signature generator would be the ultimate weapon for combating the protection and give the developers unlimited power on the phone; however, I'm guessing no such thing has been leaked at this point.

It's curious to see Google, who has supposedly always been about transparent open source projects go to such great lengths to protect a phone from modification. Perhaps this is more a protection for the phone companies than it is for proprietary concern.
 
With this in mind, what is hindering the progress on the leaker side of things?

I don't know. All of the root development went sort of offline. Not exactly, but close - the devs seeking root started using IRC a long while back. That has advantages and disadvantages - the advantage being near real-time communication; the disadvantage being no cumulative record of what people tried and didn't try.

Look at the activity on XDA in the dev forum - it is largely centered on pushing out new ROM features. There are only so many Eris devs in the world, and if most of them are debugging applications to assemble new ROMs, they're not working on root for leakers.

Is the protection hard coded in the bios looking for specific signatures for each progressive iteration? Since I am running V2, my bios should be reporting that I have a previous version and allow a signed upgrade, right?

There are two separate hurdles that must be jumped to install a ROM using either a PB00IMG.ZIP method, or an update.zip method: version checking and signing. They appear to be independent from one another. (The public key shipped with the OTA updates is good until the year 2038, and is unlikely to be cracked, so there is very little need for them to change the encryption key with each release. Probably, however, HTC does use a different private key for each different phone so that a single key leak doesn't compromise their entire product portfolio. Easy enough to check, but I haven't done so.)

Versioin checking: Judging from the behavior that the bootloader (not bios) displays under a variety of successful and failed installation attempts, it appears that what is being checked is not the version of the bootloader. The evidence for this is that the MR1 PB00IMG.ZIP can not be installed after a MR2 PB00IMG.ZIP has been installed - and they both use identical bootloaders, and identical NVRAM images. That seems to imply that the bootloader is inspecting contents of other partitions to determine whether or not "Main Version is Older!", or possibly something hidden in NVRAM. I don't think any of the devs have a good handle on exactly what is being checked here.

That's the version checking by the bootloader. When it comes to OTA or update.zip installations, a different method is used by the phone - the "mini Android" recovery partition boot is running in order to do the install, not the bootloader. This installation method is completely different from what the bootloader does with a PB00IMG.ZIP file. In that case, a script is running which explicitly checks versions of something - off the top of my head, I'm not sure if it checks the version of the recovery partition or system partition. That script can not be easily changed, because the payload that it comes from (the OTA zip file) is also protected by cryptographic signing methods.

I suppose a signature generator would be the ultimate weapon for combating the protection and give the developers unlimited power on the phone; however, I'm guessing no such thing has been leaked at this point.

It's called "jarsigner" and is available to anyone in the world by downloading Java. All the devs have it and you can have it too. That doesn't change the fact that you still have to have HTC's private key to sign arbitrary files so that they appear to have come from HTC. (And yes, you are correct that the bootloader stores - somewhere - a copy of HTC's public key so that it can check signatures. There's nothing secret about a public key - that's why it is called a "public" key.)


It's curious to see Google, who has supposedly always been about transparent open source projects go to such great lengths to protect a phone from modification. Perhaps this is more a protection for the phone companies than it is for proprietary concern.

They are trying to protect developers who invest their lives and money in making Android a better place to work and play. Having rooted phones allows people to steal applications and circumvent Android Market policy mechanisms. To a lesser extent, having folks screw up their phones and then run to Verizon for remediation is a real cost to Verizon - look at the number of posts on this very board where folks suggest defrauding their insurance carrier (or Verizon) in order to resolve mistakes they made.

Google is only trying to create a successful marketplace - a place where ideas are tested for their worth, and both the sellers and buyers obtain value.

It is a mis-perception that Android is open-source. Bits and pieces of it are, and - to their credit, they are leaps and bounds ahead of any competitor in this regard - but it's not really an open-source system. What Android/Google did was to shield themselves from lawsuits by only incorporating BSD- or Apache-style licenses in code they grabbed from other people. They did as much as they possibly could to avoid GPL-style licenses. They even created their own Java-like runtime engine (Dalvik); I suppose they did that to avoid licensing issues with Sun, but there might have been technical issues, too.

The only place they couldn't avoid the GPL was with the Linux kernel. That's why when HTC releases code, the only thing they release code for is the kernel - not any of the apps, not any of the system libraries, not any of the native applications, not any of the device drivers. And the bootloader is HTC's, not Google's


eu1
 
  • Like
Reactions: false_apology
The only way to bypass the security with out having the keys is to hardware hijack the phone by putting something in place that allows you to use any key.

Ideally you would be able to plug in via the usb connection and when you power the phone on it hijacks the security system. More likely however you will need to install a chip in line to bypass and tell the phone to accept what ever you are handing it.
 
/sigh, I'm almost ready to stop coming to these forums any more. The only reason I do is to check up on any possible ROOT status. I have v3, I don't experience a single issue that has been posted by others on here. So, it looks like I am forever stuck with v3. And, yes, I understand it's my own fault, hence the reason I refuse to defraud Verizon by claiming my phone is defective just so I can get a new one that can be ROOTed.

However, to the person who does figure out how to ROOT the leaked versions, I will donate to them immediately. I just don't keep my hopes up considering what I hear is that almost no one is bothering to work on trying to ROOT the Eris anymore. May it go down as one of the few phones that was never officially ROOTed since the current ROOT method is done by a ROM with ROOT access that was just handed to the public.