Mike Szczys · Apr 11, 2013 at 07:00 pm

Bootloader Unlock for the Atrix HD, Razr HD, and Razr M

Dan Rosenberg (a.k.a. XDA Recognized Developer djrbliss) gets the credit for finding exploits on a lot of devices, and now you can add to it the line of Motorola units that use the Qualcomm MSM8960 chipset. There are currently three models included in this category, the Atrix HD, Razr HD, and Razr M. They’re based on the processor marketed as the Qualcomm Snapdragon, and they’re hiding some interesting tricks that may eventually keep users from loading their own ROMs. Dan’s investigation did lead to an exploit, but I find some of the pseudocode he authored based on the disassembly an interesting look at what the future might bring from Motorola.

Dan’s article is posted over at the Azimuth Security blog. In it, he starts by covering an online bootloader unlocking tool provided by Motorola that allows you to upload a blob generated using fastboot with your handset. It will return an unlock key, which is used in the same fashion. Great, if you have a developer version of the hardware. If not, you’re out of luck because this chipset includes internal fuses, which when blown can never be reset again. One of the QFuses is blown on every user model to differentiate it from an otherwise identical developer version.

The most interesting part about this is what Dan uncovered when disassembling the parts of a leaked Atrix HD update, which pertains to these fuses. Luckily he rebuilt the program as psuedo-code that is readable by the non-assembly-guru crowd. In addition to a fuse for the developer edition and one to signify that the bootloader is unlocked, he discovered a rather sinister flag. He calls it is_unlocking_allowed() as his psuedo-function label. He thinks that once burnt, that fuse will never allow the ‘bootloader unlocked’ QFuse to be burned, something that would have prevented all exploits including the one he eventually found. Dan is fairly certain that the units Motorola is shipping now do not have that QFuse blown.

At this point Dan started looking at how the official unlock method manages to write to the ‘bootloader unlocked’ fuse. It ends up that the ARM kernel is doing the work,which brings us to a familiar package, the TrustZone kernel running inside the ARM core. XDA Elite Recognized Developer Adam Outler wrote a terrific post covering TrustZone earlier in the year that will help fill you in on the role that TZ plays in the chain of trust. Having already worked with the kernel many times, Dan was able to quickly find an arbitrary memory write which he used to clear the global flag preventing writing to the bootloader unlock QFuse location. He posted the details for those who don’t mind getting their hands dirty.

 


_________
Want something on the XDA Portal? Send us a tip!

Mike Szczys

szczys is an editor on XDA-Developers, the largest community for Android users. Mike Szczys is a professional musician but spends all his free time working with hobby electronics. As Contributing Editor for Hackaday.com he became interested in Android as some of the early hardware hacks started popping up on the Internet. What followed was a gradually rising addiction to all things Android.
Mathew Brack · Mar 26, 2015 at 10:09 pm · 3 comments

LG G4 Note Leaks

T-Mobile employee and XDA user s3rv1cet3ch has leaked images that he claims are of the upcoming LG G4 Note, LG's answer to the Samsung Note series and 'big brother' to the G4.  LG CEO Cho has been quoted as saying at a press meeting that the company would unveil the next flagship smartphone, G4, in the second quarter, and another high-end product in the second half. With the second quarter now just days away we could finally have a few hints of...

XDA NEWS
Mathew Brack · Mar 26, 2015 at 06:07 pm · 3 comments

HTC M9 Roundup: Availability and Prices

The HTC One M9, Available in both 'Gold on Silver' and 'Metal Gray' colors will be available for sale in stores across the US on April 10th, however most carriers are starting preorders tomorrow on March 27th. No matter which network you order yours from you will be covered by HTC's new Uh-Oh service. Throughout the day today we have seen just as many announcements from carriers regarding pre-order information and prices for Samsung's new flagships the Galaxy S6 and S6 Edge. If...

XDA NEWS
Mario Tomás Serrafero · Mar 26, 2015 at 05:15 pm · 1 comment

OnePlus Late March AMAA Roundup

OnePlus is one of those companies that appear one day and next thing you know, they are all over the internet. Their original OnePlus One phone was a major success in the mobile space due to its low price yet remarkable specifications - the ultimate goal of the company and their “Never Settle” slogan. We love talking about “the little OEM that could”, not necessarily because they are good or bad, but because their business and marketing strategies are very...

XDA NEWS
Share This