Hovatek Forum DEVELOPMENT Android [Development] Huawei Y541-U02 | Bootloader Security
Can't login? Please, reset your password.
Hovatek is recruiting! Apply Now


[Development] Huawei Y541-U02 | Bootloader Security

[Development] Huawei Y541-U02 | Bootloader Security

Pages (4): 1 2 3 4 Next
techyzen101
techyzen101
techyzen101
Junior Member
37
25-10-2016, 04:40 AM
#1



Introduction
The System-On-a-Chip the device runs on is enforced with a proprietary secure-boot. Nothing but official images and binaries are accepted to be flashed.

Background
Booting goes through three stages: bootrom, bootloader and kernel. According to documents about secure boot on these chips is that there is a root certificate existing on the hardware with a chain-of-trust security protocol. Each phase checks the binaries the other contains.

To generate a header, we need a key pair. A key pair consist of a password of exactly eight ASCII characters together with a key of not more than forty-nine characters. In the Spreadtrum document referenced below the key is treated as the product name.

The signing process needs three key pairs found in sig_keys.ini that will be read by RSAKeyGen and generate keys.db. The generated keys.db will always be referenced by the signing tools along with sig_bins.ini which contains the filename inputs and outputs.

Now the first and second key pairs are used to sign fdl1.bin and u-boot-spl-16k.bin with BscGen. Second and third key pairs are used to sign fdl2.bin and u-boot.bin with VLRSign. The last one is used alone to sign boot.img and recovery.img with VLRSign. The RSA + hash of the file is prepended and appended to the first two sets of boot files, and the rest have it only prepended.

In the Spreadtrum document, it stated that only the hash value of the first boot binary, in this case fdl1.bin should match the hash stored in the chip.

Reading through the document some more, it has come to my attention that apparently the hash of the signed boot binary is what the chip holds. It emphasized protection of the key.db because it contains randomly generated RSA for the key pair. I've compared two identical key pair sets and it does what it stated. Losing the key.db means the board is scrapped if it were in manufacturing.

That closes our brute force attack option sad to say.

Digging Around The Binaries
Having the u-boot binaries on hand I managed to extract two oem commands:
Code:

oem get-psid
oem get-bootinfo

oem get-psid:
Code:

                                                   (bootloader) SN:Y541XXXXXXXXXXXX-XXXXX

OKAY [  0.007s]
Finished. Total time: 0.007s

oem get-bootinfo:
Code:

                                                   (bootloader) INFO:unlocked

OKAY [  0.015s]
Finished. Total time: 0.015s

As you can see its just information commands and yes, the bootloader is unlocked, which is bogus. There was never an unlock code given by Huawei upon contacting them. They said the device isn't supported in the database, which funny enough is true, because there was no oem unlock command to begin with.

I hope I'm wrong, though a few related documents about security itself is that companies do either allow or deny you of control to unlocking. Unless Huawei gives us the key.db we will be going nowhere with brute force method.

Engineering Mode
One can open the engineering application to debug and show more information about the device by dialing:
Code:

*#*#83781#*#*

The documents stated something about checking if the hash is written on the chip by going to HARDWARETEST tab. My device just says hash value written. Kept our hopes up I know.

Navigating to DEBUG&LOG you will find System Info. Click on that and then click on Version Info.

My device:
Code:

Platform Version: MOCORTM_14B_TSHARK28_HUAWEI_W15.34_P5_Debug
Project Version: sc7731g_CP0_modem
BASE Version: TM_BASE_MP_II_HUAWEI_W16.06
HW Version: sc7731g_CP0_modem
Release Date: 02-18-2016 10:02:37

This might come in handy for finding source codes, and also possibly prevent flashing the wrong firmware.

Entrypoint
Our only option right now is finding exploits on the bootloader since we do have some of the source codes to base off on, or with any luck have a leaked private key.db given we have the signing tools. Check the relevant repository link below.

Final Thoughts
This device is a headache to be honest. I've been scouring everything I could find about it since 2016. Much appreciated if an able body can proceed to help, or just go to Huawei Support and ask them through e-mail.

The instructions for using the signing tool is in the GitHub repository linked below and a related paper for the interested.

In any case this post will continue to be updated.

Resources
This post was last modified: 17-08-2020, 12:07 PM by techyzen101. Edit Reason: Updates
techyzen101
techyzen101
techyzen101
Junior Member
37
28-10-2016, 03:35 AM
#2
After some digging, and editing, u-boot was able to compile, but the FDLs and SPL are non-existent so still no unsecured flashing.

ro.product.hardware is "SP7731GEA_V1.0.0"
ro.hardware is "sc8830"

Found another source for u-boot, supports most spreadtrum chips, but it does not compile out of the box (at least sc8830 as tested). I'm not quite in good terms with full source-code editing so, I'll keep things as it is for now.

Old & Specifically edited for sc7731 already here.
Kinda newer and complete here.
techyzen101
techyzen101
techyzen101
Junior Member
37
31-10-2016, 03:23 PM
#3
Emailed to Huawei Support about this, hoping for the best.

By the way here are some of the ROM dump I have made here if it helps.
In the package is boot.img, recovery.img, mmcboot0.bin (SPL), mmcboot1.bin (U-BOOT)
anil dasari
anil dasari
anil dasari
Senior Member
137
01-11-2016, 05:35 PM
#4
Thanks for the information please develop some roms like lollipop or marshmallow we are eagerly waiting since 1 year
anil dasari
anil dasari
anil dasari
Senior Member
137
01-11-2016, 05:37 PM
#5



i'm hopping you will be the one you can do it man
techyzen101
techyzen101
techyzen101
Junior Member
37
10-11-2016, 10:32 AM
#6
Recieved Huawei Support's response on the matter and sadly, it's impossible.

Though, not giving up yet as theres still some other ways: using bootloaders from different region PAC firmwares. I have heard that chinese versions of the firmware for our device have their bootloader unlocked, so there might be hope.
anil dasari
anil dasari
anil dasari
Senior Member
137
11-11-2016, 05:12 AM
#7
(10-11-2016, 10:32 AM)techyzen101 Recieved Huawei Support's response on the matter and sadly, it's impossible.

Though, not giving up yet as theres still some other ways: using bootloaders from different region PAC firmwares. I have heard that chinese versions of the firmware for our device have their bootloader unlocked, so there might be hope.

Best of luck try till you get the same

Sent from my Elite Plus using Hovatek mobile
techyzen101
techyzen101
techyzen101
Junior Member
37
29-11-2016, 01:36 PM
#8
Putting this at a pause since I do not have the know how, instead, we will probably wait for an able body to shed some light on this situation.

Try the modified stock ROM that I made for now.
https://www.hovatek.com/forum/thread-15761.html
This post was last modified: 29-11-2016, 01:40 PM by techyzen101.
anil dasari
anil dasari
anil dasari
Senior Member
137
03-12-2016, 04:28 AM
#9
(29-11-2016, 01:36 PM)techyzen101 Putting this at a pause since I do not have the know how, instead, we will probably wait for an able body to shed some light on this situation.

Try the modified stock ROM that I made for now.
https://www.hovatek.com/forum/thread-15761.html

Will this work in Indian devices

Sent from my Elite Plus using Hovatek mobile
techyzen101
techyzen101
techyzen101
Junior Member
37
03-12-2016, 08:15 AM
#10



(03-12-2016, 04:28 AM)anil dasari Will this work in Indian devices

Sent from my Elite Plus using Hovatek mobile

I am not sure, so please create a backup first. I will post the dumping/backup guide soon.

And I advise that you update to B116 after backing up.
Pages (4): 1 2 3 4 Next
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
YtWhTl
live chat
whatsapp telegram instagram