Hi, Guest! Login / Register
Giveaway: Free Hovatek T-shirts, Hoodies & Cufflinks.. I WANT ONE! (Nov 25, 2017)
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

Huawei Y5C/Y541-U02/Honor Bee Bootloader Security

#11

(12-03-2016, 08:15 AM)techyzen101 Wrote:
(12-03-2016, 04:28 AM)anil dasari Wrote: Will this work in Indian devices

Sent from my Elite Plus using Hovatek mobile

I am not sure, so please create a backup first. I will post the dumping/backup guide soon.

And I advise that you update to B116 after backing up.

Presently my device build no is 108 only recently I tried to flash 114 but it was stuck at honor logo and I came to know that 114 build not for Indian devices

Sent from my Elite Plus using Hovatek mobile


Reply
#12
Please check that micromax q370 having similar kind of configuration can we flash this on our device

Sent from my Elite Plus using Hovatek mobile
Reply
#13
I had also playing around with sprd secureflag mechanism, I was doing it on huawei t1 7.0. It seems that the function that produces the encrypted hash is inside the on chip rom.
Reply
#14
(02-06-2017, 06:28 AM)Skyjohn5510 Wrote: I had also playing around with sprd secureflag mechanism, I was doing it on huawei t1 7.0. It seems that the function that produces the encrypted hash is inside the on chip rom.

What is mean by that

Sent from my Elite Plus using Hovatek mobile
Reply
#15
(02-06-2017, 05:21 PM)anil Wrote:What is mean by that

Sent from my Elite Plus using Hovatek mobile

From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.

When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.

Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.
Reply
#16
(02-07-2017, 04:15 AM)Skyjohn5510 Wrote:
(02-06-2017, 05:21 PM)anil Wrote:What is mean by that

Sent from my Elite Plus using Hovatek mobile

From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.

When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.

Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.

I think u working on this seriously keep going and provide the rom asap

Sent from my Elite Plus using Hovatek mobile
Reply
#17
(This post was last modified: 02-15-2017, 12:08 AM by techyzen101. )
(02-07-2017, 04:15 AM)Skyjohn5510 Wrote: From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.

When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.

Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.

Interesting find! I couldn't go anywhere with the source code as I've been busy.

Although, our problem now is if Spreadtrum bothered changing the sourcecode these past few years, cause the one hosted in github is quite old.

(Heck if they did, Huawei probably just thrown the source away once there was enough binaries made for each country specific device)

I contacted Huawei a couple of times and they don't really offer much help other than bootloader codes for oem unlock, which our device doesnt even need, cause its already unlocked and accepts flashing.

I've tried exploiting applypatch but yeah that did not go anywhere.

Update zip resigning, worked, well partially, but I'm not going through that again.

Reverse engineering it is.

Sent from my HUAWEI Y541-U02 using the Hovatek Forum App
Reply
#18
(02-14-2017, 11:54 PM)techyzen101 Wrote:
(02-07-2017, 04:15 AM)Skyjohn5510 Wrote: From the uboot source code that found on github(sprd_project), the function that decrypt the rsa-encrypted hash is inside the on-chip rom, while the SBL, and u-boot is on the emmc chip.

When the bootloader validate the sprd-secureflag, it takes the hash and key from the header of file being validate, then called a function from i-rom named rsa_modpow, this function takes 3 arguments instead of 2 which the regular rsa modpow did(at least from what i found on google), to decrypted the rsa encrypted hash, then compared it with the hash generated by i-rom. The hash seems to be SHA1. I didn't reversed the uboot of my phone yet, this information just what I guess by reading the source code on the github.

Now my idea is if they really placed the key and the encrypted hash together on the header of the bootloader, and we knew how the customized rsa_modpow works, we can just use our own key to encrypt the hash to make our own bootloader valid.

Interesting find! I couldn't go anywhere with the source code as I've been busy.

Although, our problem now is if Spreadtrum bothered changing the sourcecode these past few years, cause the one hosted in github is quite old.

(Heck if they did, Huawei probably just thrown the source away once there was enough binaries made for each country specific device)

I contacted Huawei a couple of times and they don't really offer much help other than bootloader codes for oem unlock, which our device doesnt even need, cause its already unlocked and accepts flashing.

I've tried exploiting applypatch but yeah that did not go anywhere.

Update zip resigning, worked, well partially, but I'm not going through that again.

Reverse engineering it is.

Sent from my HUAWEI Y541-U02 using the Hovatek Forum App

Please port similar kind of latest ROM to this device I that is enough

Sent from my V502830 using Hovatek mobile
Reply
#19
(02-15-2017, 08:39 PM)anil dasari Wrote: Please port similar kind of latest ROM to this device I that is enough

Sent from my V502830 using Hovatek mobile

It's not that easy, as our device doesn't freely accept any ROM that isn't based on stock right now.

So nothing will boot, even port from famous ROMs won't work.

Let's look forward to what John can come up with.

Sent from my HUAWEI Y541-U02 using the Hovatek Forum App
Reply
#20
(02-16-2017, 12:59 AM)techyzen101 Wrote:
(02-15-2017, 08:39 PM)anil dasari Wrote: Please port similar kind of latest ROM to this device I that is enough

Sent from my V502830 using Hovatek mobile

It's not that easy, as our device doesn't freely accept any ROM that isn't based on stock right now.

So nothing will boot, even port from famous ROMs won't work.

Let's look forward to what John can come up with.

Sent from my HUAWEI Y541-U02 using the Hovatek Forum App

http://forum.gsmhosting.com/vbb/f929/hua...y-2190880/ bootloader unlocking guide got this his from some other forum check whether working or not

Sent from my V502830 using Hovatek mobile
Reply










Users browsing this thread:
1 Guest(s)