[Development] Huawei Y541-U02 | Bootloader Security
[Development] Huawei Y541-U02 | Bootloader Security
(03-12-2016, 08:15 AM)techyzen101(03-12-2016, 04:28 AM)anil dasari Will this work in Indian devices
Sent from my Elite Plus using Hovatek mobile
I am not sure, so please create a backup first. I will post the dumping/backup guide soon.
And I advise that you update to B116 after backing up.
(06-02-2017, 05:21 PM)anil What is mean by that
Sent from my Elite Plus using Hovatek mobile
(07-02-2017, 04:15 AM)Skyjohn5510(06-02-2017, 05:21 PM)anil What is mean by that
Sent from my Elite Plus using Hovatek mobile
From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.
When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.
Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.
(07-02-2017, 04:15 AM)Skyjohn5510 From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.
When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.
Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.
(14-02-2017, 11:54 PM)techyzen101(07-02-2017, 04:15 AM)Skyjohn5510 From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.
When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.
Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.
Interesting find! I couldn't go anywhere with the source code as I've been busy.
Although, our problem now is if Spreadtrum bothered changing the sourcecode these past few years, cause the one hosted in github is quite old.
(Heck if they did, Huawei probably just thrown the source away once there was enough binaries made for each country specific device)
I contacted Huawei a couple of times and they don't really offer much help other than bootloader codes for oem unlock, which our device doesnt even need, cause its already unlocked and accepts flashing.
I've tried exploiting applypatch but yeah that did not go anywhere.
Update zip resigning, worked, well partially, but I'm not going through that again.
Reverse engineering it is.
Sent from my HUAWEI Y541-U02 using the Hovatek Forum App
(15-02-2017, 08:39 PM)anil dasari Please port similar kind of latest ROM to this device I that is enough
Sent from my V502830 using Hovatek mobile
(16-02-2017, 12:59 AM)techyzen101(15-02-2017, 08:39 PM)anil dasari Please port similar kind of latest ROM to this device I that is enough
Sent from my V502830 using Hovatek mobile
It's not that easy, as our device doesn't freely accept any ROM that isn't based on stock right now.
So nothing will boot, even port from famous ROMs won't work.
Let's look forward to what John can come up with.
Sent from my HUAWEI Y541-U02 using the Hovatek Forum App