Slashdot Mirror

← Back to Stories (view on slashdot.org)

Method Found To Unlock Qualcomm Based Motorola Phones

Posted by Unknown on from the take-that-qfuse dept.

FlatEric521 writes "In a blog post over at Azimuth Security, Dan Rosenberg explains how certain models of Motorola Android phones based on the Qualcomm MSM8960 chipset (including the Atrix HD, Razr HD, and Razr M) can be permanently unlocked. He writes, 'I will present my findings, which include details of how to exploit a vulnerability in the Motorola TrustZone kernel to permanently unlock the bootloaders on these phones.'" It's a long read, but interesting.

21 comments

  1. gg by Anonymous Coward · · Score: 0

    It's a long read, but interesting

    Half right.

    1. Re:gg by Anonymous Coward · · Score: 0

      Agreed, it's not long.

  2. "Still, it is very neat." by Impy+the+Impiuos+Imp · · Score: 2

    Thank god for freedom of speech. I can't blame companies for trying, but sometimes getting government in as "partners" to stop knowledge and analysis of technical issues gets a little close to the edge.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:"Still, it is very neat." by drinkypoo · · Score: 1

      I can't blame companies for trying,

      Nor can I. A corporation is a legal fiction. I blame the humans, mostly the management, but also the stooges who carry out their evil orders.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Interesting, could influence my next phone purchas by SpaceManFlip · · Score: 1
    I half-read that article, but it was interesting about the QFuses and stuff. Could not for certain decipher if he's exactly talking about a carrier unlock or OS / jailbreak kind of unlock or both. My current phone has both, but its hardware is gradually failing.....

    Operator needs more sleep this Monderp to comprehend

  4. Re:Interesting, could influence my next phone purc by jonwil · · Score: 3, Informative

    Its a bootloader unlock to let you run custom kernels and stuff.

  5. Re:Interesting, could influence my next phone purc by Anonymous Coward · · Score: 1

    boatloader unlocking using a hardfuse attack, the only unlock that is more power-full is the recovery of the boot-loader signing keys.

  6. Cool exploit by Anonymous Coward · · Score: 1

    Pretty naive memory copy algorithm from qualcomm however, especially since that code only runs with high privileges by design.

    1. Re:Cool exploit by viperidaenz · · Score: 1

      Maybe it was naive on purpose. They get a pat on the back from the carriers and such for locked boot loaders. They get surge in sales when its eventually hacked and people buy the phone to load their own firmware.

    2. Re:Cool exploit by phantomfive · · Score: 2

      Really, there aren't very many companies that take security seriously. With Qualcomm, you'd be much better to vote for incompetence rather than malice.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Cool exploit by Anonymous Coward · · Score: 4, Informative

      Moto allows you to unlock the bootloader *on their consumer devices*. You just need to officially void the warranty at their site (which makes sense since it is so common to brick your device, unintentionally).

      The only case where consumer devices cannot be unlocked is *when the carrier specifically requests this from Moto*. (I.e. the Droid branded versions that Verizon uses).

      This exploit is technically interesting, but not necessary for most Moto devices.

    4. Re:Cool exploit by kwark · · Score: 2

      "which makes sense since it is so common to brick your device, unintentionally"

      I only had about 6 Android devices so far, all ran modded firmware and all (except a Desire Z) had a (pre)bootloader smart enough to recover the device from my mistakes (like flashing the wrong or a corrupt recovery image). The Desire Z was fixed by flashing the enginering bootloader to get fastboot support.

    5. Re:Cool exploit by Anonymous Coward · · Score: 1

      Indeed, most of the 'brickings' I referred to, are not in fact, brickings, but overzealous-undercompentent types who get frustrated after screwing something up, and end up turning in the device for [warranty] service.

    6. Re: Cool exploit by Anonymous Coward · · Score: 0

      I think the memory exploit was found in the Motorola code not the Qualcomm code.

  7. Thank you, sweet ${deity} by Miamicanes · · Score: 3, Funny

    Finally, I can pull my Photon out of the drawer I threw it into in a fit of rage almost a year ago, and let it have the useful Android afterlife denied to it by Motorola. The evil bastards at Moto gimped that poor phone so badly, it couldn't run ADK (despite theoretically having a sufficiently-new kernel... they went out of their way to exclude ADK support it from the kernel), and somehow managed to even have Issues(tm) with IOIO, which is probably the most compatible ADB-based hardware/io bridge you can GET for Android.

    Motorola ruined it as a phone, but maybe it can at least be useful now as an embedded hardware controller with touchscreen and full complement of sensors. The sad thing is, had the MoPho been an open phone called the "Nexus M", I would have totally loved it, and lots of us would think Motorola was an awesome company instead of regarding them as the spawn of Satan, sitting at the right hand of Steve Jobs and playing footsie with Steve Ballmer under the table at a dinner party hosted by Verizon. ;-)

    1. Re:Thank you, sweet ${deity} by Miamicanes · · Score: 1

      Whoops... it looks like the celebration might have been a bit premature, and the Photon/Electrify/Atrix2 might still be firmly under Motorola's evil thumb. Unless, of course, THIS exploit ends up inspiring the discover of something similar on the Tegra2 phones (which, AFAIK, *are* built around the MSM 8960 baseband chips, though apparently not in quite the same way as the phones in the referenced article).

  8. Method!? by Dahamma · · Score: 0

    Frankly I'm surprised Method found the unlock. I always thought Redman was the brains of that group.

  9. Re:Interesting, could influence my next phone purc by petermgreen · · Score: 1

    This lets you unlock the bootloader so you can boot a firmware image with a custom kernel. From my reading of the article it seems like you already need to have obtained the ability to load kernel modules somehow before you can use this.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  10. Re:Interesting, could influence my next phone purc by Anonymous Coward · · Score: 0

    No, you cannot state that using only the article as it is makes no such statement, it only state that he used the source to understand the Secure Monitor Calling convention but I did check in the ARM11 technical reference manual and just as you said it must be in a kernel module as the processor must be in a privileged mode to execute that instruction.

  11. Re:Interesting, could influence my next phone purc by petermgreen · · Score: 1

    From TFA

    "The Non-secure world may issue requests to the Secure world using the privileged SMC instruction."

    Privilaged in this kind of context generally means "not available to regular user mode code".

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register