Hovatek Forum DEVELOPMENT Android [Development] Huawei Y541-U02 | Bootloader Security
Can't login? Please, reset your password.
Hovatek is recruiting! Apply Now


[Development] Huawei Y541-U02 | Bootloader Security

[Development] Huawei Y541-U02 | Bootloader Security

Pages (4): Previous 1 2 3 4 Next
anil dasari
anil dasari
anil dasari
Senior Member
137
20-12-2016, 06:04 AM
#11



(03-12-2016, 08:15 AM)techyzen101
(03-12-2016, 04:28 AM)anil dasari Will this work in Indian devices

Sent from my Elite Plus using Hovatek mobile

I am not sure, so please create a backup first. I will post the dumping/backup guide soon.

And I advise that you update to B116 after backing up.

Presently my device build no is 108 only recently I tried to flash 114 but it was stuck at honor logo and I came to know that 114 build not for Indian devices

Sent from my Elite Plus using Hovatek mobile
anil dasari
anil dasari
anil dasari
Senior Member
137
22-12-2016, 04:22 AM
#12
Please check that micromax q370 having similar kind of configuration can we flash this on our device

Sent from my Elite Plus using Hovatek mobile
Skyjohn5510
Skyjohn5510
Skyjohn5510
Newbie
2
06-02-2017, 06:28 AM
#13
I had also playing around with sprd secureflag mechanism, I was doing it on huawei t1 7.0. It seems that the function that produces the encrypted hash is inside the on chip rom.
anil dasari
anil dasari
anil dasari
Senior Member
137
06-02-2017, 05:21 PM
#14
(06-02-2017, 06:28 AM)Skyjohn5510 I had also playing around with sprd secureflag mechanism, I was doing it on huawei t1 7.0. It seems that the function that produces the encrypted hash is inside the on chip rom.

What is mean by that

Sent from my Elite Plus using Hovatek mobile
Skyjohn5510
Skyjohn5510
Skyjohn5510
Newbie
2
07-02-2017, 04:15 AM
#15



(06-02-2017, 05:21 PM)anil What is mean by that

Sent from my Elite Plus using Hovatek mobile

From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.

When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.

Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.
anil dasari
anil dasari
anil dasari
Senior Member
137
07-02-2017, 04:45 AM
#16
(07-02-2017, 04:15 AM)Skyjohn5510
(06-02-2017, 05:21 PM)anil What is mean by that

Sent from my Elite Plus using Hovatek mobile

From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.

When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.

Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.

I think u working on this seriously keep going and provide the rom asap

Sent from my Elite Plus using Hovatek mobile
techyzen101
techyzen101
techyzen101
Junior Member
37
14-02-2017, 11:54 PM
#17
(07-02-2017, 04:15 AM)Skyjohn5510 From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.

When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.

Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.

Interesting find! I couldn't go anywhere with the source code as I've been busy.

Although, our problem now is if Spreadtrum bothered changing the sourcecode these past few years, cause the one hosted in github is quite old.

(Heck if they did, Huawei probably just thrown the source away once there was enough binaries made for each country specific device)

I contacted Huawei a couple of times and they don't really offer much help other than bootloader codes for oem unlock, which our device doesnt even need, cause its already unlocked and accepts flashing.

I've tried exploiting applypatch but yeah that did not go anywhere.

Update zip resigning, worked, well partially, but I'm not going through that again.

Reverse engineering it is.

Sent from my HUAWEI Y541-U02 using the Hovatek Forum App
This post was last modified: 15-02-2017, 12:08 AM by techyzen101.
anil dasari
anil dasari
anil dasari
Senior Member
137
15-02-2017, 08:39 PM
#18
(14-02-2017, 11:54 PM)techyzen101
(07-02-2017, 04:15 AM)Skyjohn5510 From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.

When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.

Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.

Interesting find! I couldn't go anywhere with the source code as I've been busy.

Although, our problem now is if Spreadtrum bothered changing the sourcecode these past few years, cause the one hosted in github is quite old.

(Heck if they did, Huawei probably just thrown the source away once there was enough binaries made for each country specific device)

I contacted Huawei a couple of times and they don't really offer much help other than bootloader codes for oem unlock, which our device doesnt even need, cause its already unlocked and accepts flashing.

I've tried exploiting applypatch but yeah that did not go anywhere.

Update zip resigning, worked, well partially, but I'm not going through that again.

Reverse engineering it is.

Sent from my HUAWEI Y541-U02 using the Hovatek Forum App

Please port similar kind of latest ROM to this device I that is enough

Sent from my V502830 using Hovatek mobile
techyzen101
techyzen101
techyzen101
Junior Member
37
16-02-2017, 12:59 AM
#19
(15-02-2017, 08:39 PM)anil dasari Please port similar kind of latest ROM to this device I that is enough

Sent from my V502830 using Hovatek mobile

It's not that easy, as our device doesn't freely accept any ROM that isn't based on stock right now.

So nothing will boot, even port from famous ROMs won't work.

Let's look forward to what John can come up with.

Sent from my HUAWEI Y541-U02 using the Hovatek Forum App
anil dasari
anil dasari
anil dasari
Senior Member
137
17-02-2017, 08:26 AM
#20



(16-02-2017, 12:59 AM)techyzen101
(15-02-2017, 08:39 PM)anil dasari Please port similar kind of latest ROM to this device I that is enough

Sent from my V502830 using Hovatek mobile

It's not that easy, as our device doesn't freely accept any ROM that isn't based on stock right now.

So nothing will boot, even port from famous ROMs won't work.

Let's look forward to what John can come up with.

Sent from my HUAWEI Y541-U02 using the Hovatek Forum App

http://forum.gsmhosting.com/vbb/f929/hua...y-2190880/ bootloader unlocking guide got this his from some other forum check whether working or not

Sent from my V502830 using Hovatek mobile
Pages (4): Previous 1 2 3 4 Next
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
YtWhTl
live chat
whatsapp telegram instagram